Platform
wordpress
Component
jet-elements
Fixed in
2.6.21
CVE-2024-7145 is a Local File Inclusion (LFI) vulnerability affecting the JetElements plugin for WordPress. This vulnerability allows authenticated attackers, with Contributor-level access or higher, to include and execute arbitrary files on the server. The vulnerability impacts versions up to and including 2.6.20 and can lead to sensitive data exposure or complete code execution. A fix is available in a later version of the plugin.
The impact of CVE-2024-7145 is significant due to the potential for remote code execution (RCE). An attacker who can successfully exploit this vulnerability can upload a malicious image or other file type, then use the 'progress_type' parameter to include and execute it. This effectively bypasses access controls and allows the attacker to run arbitrary PHP code on the server. The attacker could then steal sensitive data, modify website content, install malware, or even gain complete control of the WordPress instance. This vulnerability shares similarities with other LFI exploits where file inclusion is leveraged to execute malicious code.
CVE-2024-7145 was publicly disclosed on August 16, 2024. There is currently no indication of active exploitation in the wild, but the availability of a public proof-of-concept could change this. The vulnerability is not currently listed on the CISA KEV catalog. The relatively low barrier to entry (requiring only Contributor-level access) makes it a potential target for opportunistic attackers.
Exploit Status
EPSS
0.57% (69% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-7145 is to upgrade the JetElements plugin to a version that addresses the vulnerability. If upgrading is not immediately possible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting file upload permissions and carefully reviewing all uploaded files for malicious content. Web Application Firewall (WAF) rules can be configured to block requests containing suspicious characters in the 'progress_type' parameter. Monitor WordPress logs for unusual file access patterns or PHP execution errors.
Actualice el plugin JetElements a la última versión disponible. Esto solucionará la vulnerabilidad de inclusión de archivos locales.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-7145 is a Local File Inclusion vulnerability in the JetElements WordPress plugin, allowing authenticated users to execute arbitrary PHP code. It affects versions up to 2.6.20 and poses a significant security risk.
You are affected if your WordPress site uses the JetElements plugin and is running version 2.6.20 or earlier. Check your plugin version and upgrade immediately if necessary.
Upgrade the JetElements plugin to the latest available version. If upgrading is not possible, implement temporary workarounds like restricting file upload permissions and WAF rules.
There is currently no confirmed active exploitation of CVE-2024-7145, but the availability of a proof-of-concept makes it a potential target.
Refer to the official JetElements plugin website or their support channels for the latest advisory and updates regarding CVE-2024-7145.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.