Platform
wordpress
Component
startklar-elmentor-forms-extwidgets
Fixed in
1.7.16
CVE-2024-5153 describes a critical Path Traversal vulnerability affecting the Startklar Elementor Addons plugin for WordPress. This vulnerability allows unauthenticated attackers to read arbitrary files and delete directories on the server. The vulnerability impacts versions of the plugin up to and including 1.7.15. A patch is available from the vendor.
The impact of this vulnerability is severe. An attacker can leverage the 'dropzone_hash' parameter to bypass security controls and access files outside of the intended directory. This could lead to the exposure of sensitive data such as database credentials, configuration files, or even source code. Furthermore, the attacker can delete arbitrary directories, potentially disrupting the entire WordPress installation or causing irreversible data loss. The ability to delete the root WordPress directory represents a significant escalation of the attack's potential impact.
This vulnerability was publicly disclosed on 2024-06-06. While no active exploitation campaigns have been confirmed, the critical severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature and severity.
Exploit Status
EPSS
5.45% (90% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to a patched version of the Startklar Elementor Addons plugin. The vendor has not specified a fixed version, so check their official advisory for the latest release. As a temporary workaround, restrict access to the vulnerable endpoint using a web application firewall (WAF) or proxy server. Implement strict file permissions on the WordPress installation to limit the damage an attacker can cause if they manage to execute arbitrary commands. Consider using a security plugin that can monitor file integrity and detect unauthorized changes.
Update the Startklar Elementor Addons plugin to the latest available version. This will fix the path traversal vulnerability that allows for arbitrary directory deletion. If no version is available, consider disabling the plugin until an update is released.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-5153 is a critical vulnerability allowing attackers to read and delete files on a WordPress server through the 'dropzone_hash' parameter in the Startklar Elementor Addons plugin.
You are affected if you are using Startklar Elementor Addons version 1.7.15 or earlier. Check your plugin version and upgrade immediately.
Upgrade to the latest version of the Startklar Elementor Addons plugin. Consult the vendor's advisory for the specific fixed version.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation make it a likely target.
Check the Startklar Elementor Addons website and WordPress plugin repository for the official advisory and patch information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.