Platform
wordpress
Component
lastudio-element-kit
Fixed in
1.3.9
CVE-2024-5349 describes a Local File Inclusion (LFI) vulnerability affecting the LA-Studio Element Kit for Elementor WordPress plugin. This vulnerability allows authenticated users with Contributor-level access or higher to include and execute arbitrary files on the server, potentially leading to code execution. The vulnerability impacts versions of the plugin up to and including 1.3.8.1. A patch is expected to be released by the vendor.
The impact of CVE-2024-5349 is significant due to the potential for remote code execution. An attacker who can successfully exploit this vulnerability can upload seemingly harmless files (like images) and then include them via the 'map_style' parameter, effectively executing arbitrary PHP code. This could allow them to gain full control of the WordPress site, steal sensitive data (user credentials, database information), modify website content, or even install malware. The ability to bypass access controls and execute code makes this a particularly dangerous vulnerability, similar in impact to other LFI vulnerabilities that have led to complete system compromise.
CVE-2024-5349 was publicly disclosed on 2024-07-02. While no public proof-of-concept (PoC) has been widely released, the vulnerability's nature and ease of exploitation suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog. The vulnerability's impact and relatively simple exploitation path make it a likely target for malicious actors.
Exploit Status
EPSS
0.49% (65% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-5349 is to upgrade to a patched version of the LA-Studio Element Kit for Elementor plugin as soon as it becomes available. Until a patch is released, consider restricting file upload permissions to prevent attackers from uploading files they can later include. Implement strict input validation on the 'map_style' parameter to prevent malicious input. Web Application Firewalls (WAFs) configured to detect and block attempts to include arbitrary files can also provide a layer of protection. Monitor WordPress logs for suspicious activity, such as attempts to access unusual files or execute PHP code from unexpected locations.
Actualice el plugin LA-Studio Element Kit for Elementor a la última versión disponible. Esto solucionará la vulnerabilidad de inclusión de archivos locales.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-5349 is a Local File Inclusion vulnerability in the LA-Studio Element Kit for Elementor WordPress plugin, allowing authenticated attackers to execute arbitrary PHP code.
You are affected if you are using LA-Studio Element Kit for Elementor version 1.3.8.1 or earlier.
Upgrade to the latest version of the LA-Studio Element Kit for Elementor plugin as soon as a patch is released. Until then, implement mitigation steps like restricting file uploads and input validation.
While no widespread exploitation has been confirmed, the vulnerability's ease of exploitation suggests a high probability of exploitation.
Check the LA-Studio Element Kit website and WordPress plugin repository for updates and advisories related to CVE-2024-5349.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.