Platform
wordpress
Component
wpzoom-elementor-addons
Fixed in
1.1.38
CVE-2024-5147 represents a critical Local File Inclusion (LFI) vulnerability affecting the WPZOOM Addons for Elementor (Templates, Widgets) plugin for WordPress. This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to complete system compromise. The vulnerability impacts versions of the plugin up to and including 1.1.37. A fix is available in a later version of the plugin.
The impact of CVE-2024-5147 is severe. An attacker exploiting this LFI vulnerability can execute arbitrary PHP code on the WordPress server. This allows them to bypass access controls, steal sensitive data (including database credentials, user information, and potentially even the entire WordPress installation), and potentially gain full control of the web server. The ability to execute arbitrary code means the attacker can install backdoors, deface the website, or use the server as a launchpad for further attacks. The lack of authentication required to exploit the vulnerability significantly increases the risk, as any unauthenticated user can attempt to exploit it.
CVE-2024-5147 was publicly disclosed on May 22, 2024. While no active exploitation campaigns have been definitively confirmed, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature and severity.
Exploit Status
EPSS
0.76% (73% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-5147 is to immediately upgrade the WPZOOM Addons for Elementor plugin to a version that addresses the vulnerability. If upgrading is not immediately possible due to compatibility issues or breaking changes, consider temporarily restricting access to the affected parameter ('gridstyle') using a WordPress security plugin or by modifying the plugin's code (advanced users only). Web Application Firewalls (WAFs) can be configured to block requests containing suspicious patterns in the 'gridstyle' parameter. Monitor WordPress logs for unusual file inclusion attempts, specifically targeting the 'grid_style' parameter.
Update the WPZOOM Addons for Elementor (Templates, Widgets) plugin to the latest available version. This will resolve the Local File Inclusion vulnerability and protect your website from potential attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-5147 is a critical Local File Inclusion (LFI) vulnerability in the WPZOOM Addons for Elementor plugin, allowing attackers to execute arbitrary code on the server.
You are affected if you are using WPZOOM Addons for Elementor version 1.1.37 or earlier. Immediately check your plugin version and upgrade if necessary.
Upgrade the WPZOOM Addons for Elementor plugin to the latest available version. If immediate upgrade is not possible, consider temporary workarounds like restricting access to the 'grid_style' parameter.
While no confirmed active exploitation campaigns are currently known, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation.
Refer to the WPZOOM website and WordPress plugin repository for the latest advisory and update information regarding CVE-2024-5147.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.