Platform
wordpress
Component
classic-addons-wpbakery-page-builder-addons
Fixed in
3.0.1
CVE-2024-56286 describes a Path Traversal vulnerability within the Classic Addons – WPBakery Page Builder plugin for WordPress. This vulnerability allows for PHP Local File Inclusion, potentially granting an attacker the ability to read sensitive files or execute arbitrary code on the server. The vulnerability affects versions of the plugin up to and including 3.0. A patch is available in version 3.0.1.
The primary impact of this vulnerability is the potential for unauthorized access to sensitive files and arbitrary code execution. An attacker could exploit this Path Traversal flaw to include and execute malicious PHP code, leading to complete server compromise. This could involve stealing database credentials, modifying website content, installing backdoors, or launching further attacks against other systems on the network. The ability to read arbitrary files could expose configuration data, API keys, or other sensitive information. Given the widespread use of WordPress and the popularity of page builder plugins, this vulnerability presents a significant risk.
CVE-2024-56286 was publicly disclosed on 2025-01-07. Currently, there are no known active campaigns targeting this vulnerability, and no public proof-of-concept exploits have been released. However, the ease of exploitation associated with Path Traversal vulnerabilities suggests a high likelihood of exploitation if left unpatched. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.22% (44% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-56286 is to immediately upgrade Classic Addons – WPBakery Page Builder to version 3.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the vulnerable plugin’s directory or implementing strict file access controls on the server. Web Application Firewalls (WAFs) can be configured to block requests containing suspicious path manipulation attempts. Monitor WordPress logs for unusual file access patterns or PHP execution attempts originating from unexpected locations.
Actualice el plugin Classic Addons – WPBakery Page Builder a una versión posterior a la 3.0. Si no hay una versión disponible, considere deshabilitar el plugin hasta que se publique una versión corregida. Revise las notas de la versión actualizada para confirmar que la vulnerabilidad ha sido solucionada.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-56286 is a Path Traversal vulnerability in Classic Addons – WPBakery Page Builder allowing PHP Local File Inclusion, potentially leading to code execution.
Yes, if you are using Classic Addons – WPBakery Page Builder version 3.0 or earlier, you are affected by this vulnerability.
Upgrade to version 3.0.1 or later to resolve the vulnerability. If immediate upgrade isn't possible, implement temporary restrictions.
Currently, there are no confirmed active exploitation campaigns, but the vulnerability's nature suggests a potential for future exploitation.
Refer to the official Classic Addons website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.