Platform
wordpress
Component
wpbakery
Fixed in
7.7.1
A critical Local File Inclusion (LFI) vulnerability has been identified in WPBakery Visual Composer, affecting versions up to 7.7. This flaw allows authenticated attackers with Author-level access or higher to include and execute arbitrary files on the server, potentially leading to complete system compromise. The vulnerability was publicly disclosed on August 6, 2024, and a patched version is recommended to address the risk.
The impact of CVE-2024-5709 is severe due to the potential for remote code execution (RCE). An attacker who can successfully exploit this vulnerability can upload seemingly innocuous files (like images) and then include them via the 'layout_name' parameter, effectively executing arbitrary PHP code. This could allow them to gain full control over the WordPress instance, steal sensitive data (user credentials, database information), modify website content, or even install malware. The ability to bypass access controls and execute code within the WordPress environment significantly expands the attack surface and increases the potential for widespread damage.
CVE-2024-5709 is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the vulnerability's ease of exploitation and the high impact. The vulnerability's reliance on authenticated access suggests that targeted attacks against WordPress sites with existing vulnerabilities or weak credentials are most likely. The NVD entry was published on August 6, 2024.
Exploit Status
EPSS
0.69% (72% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-5709 is to immediately upgrade WPBakery Visual Composer to a patched version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. Restrict file upload permissions to prevent attackers from uploading malicious files that can be included. Implement strict input validation on the 'layout_name' parameter to prevent malicious input. Consider using a Web Application Firewall (WAF) with rules to block attempts to include arbitrary files. After upgrading, confirm the vulnerability is resolved by attempting to trigger the LFI with a non-existent file and verifying that the request is denied.
Actualice el plugin WPBakery Visual Composer a la última versión disponible. Esto solucionará la vulnerabilidad de inclusión de archivos locales.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-5709 is a Local File Inclusion vulnerability in WPBakery Visual Composer versions up to 7.7, allowing authenticated attackers to execute arbitrary PHP code.
If you are using WPBakery Visual Composer version 7.7 or earlier, you are vulnerable to this LFI exploit.
Upgrade WPBakery Visual Composer to the latest patched version. Implement temporary workarounds like restricting file uploads and input validation if immediate upgrade is not possible.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests it is likely to be targeted soon.
Refer to the official WPBakery website and WordPress security announcements for the latest advisory and patch information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.