Platform
wordpress
Component
cowidgets-elementor-addons
Fixed in
1.1.2
CVE-2024-5179 is a Local File Inclusion (LFI) vulnerability affecting the Cowidgets – Elementor Addons plugin for WordPress. This vulnerability allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary files on the server, potentially leading to code execution. The vulnerability impacts versions of the plugin up to and including 1.1.1. A fix is available in a patched version of the plugin.
The impact of CVE-2024-5179 is significant due to the potential for code execution. An attacker who can exploit this vulnerability can upload seemingly harmless files (like images) and then include them via the 'item_style' or 'style' parameters, effectively executing arbitrary PHP code. This could allow them to bypass access controls, steal sensitive data stored on the server, modify website content, or even gain complete control of the WordPress instance. The attack surface is broad, as any user with Contributor access or higher can potentially exploit this flaw. The ability to execute arbitrary code represents a severe compromise of the website's security.
CVE-2024-5179 was publicly disclosed on June 6, 2024. There are currently no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog as of this writing. The ease of exploitation, combined with the widespread use of WordPress and Elementor, suggests that this vulnerability could become a target for opportunistic attackers.
Exploit Status
EPSS
0.33% (56% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-5179 is to upgrade Cowidgets – Elementor Addons to a patched version. If upgrading immediately is not possible due to compatibility issues or breaking changes, consider restricting file upload permissions to prevent attackers from uploading malicious files. Implement strict input validation on the 'item_style' and 'style' parameters to prevent unexpected file inclusions. Web Application Firewalls (WAFs) configured to detect and block attempts to include arbitrary files can also provide a layer of defense. After upgrading, verify the fix by attempting to access a non-existent PHP file through the vulnerable parameters; the request should result in a 404 error or similar, indicating that file inclusion is blocked.
Actualice el plugin Cowidgets – Elementor Addons a la última versión disponible. La vulnerabilidad permite la inclusión de archivos locales, lo que podría permitir la ejecución de código PHP arbitrario en el servidor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-5179 is a Local File Inclusion vulnerability in the Cowidgets – Elementor Addons plugin for WordPress, allowing authenticated attackers to execute arbitrary PHP code.
You are affected if you are using Cowidgets – Elementor Addons version 1.1.1 or earlier.
Upgrade Cowidgets – Elementor Addons to the latest patched version. If immediate upgrade is not possible, restrict file upload permissions and implement input validation.
As of now, there are no known public exploits or active campaigns targeting CVE-2024-5179, but it remains a potential target.
Refer to the Cowidgets official website or WordPress plugin repository for updates and advisories related to CVE-2024-5179.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.