Platform
wordpress
Component
jettabs
Fixed in
2.2.4
CVE-2024-7146 describes a Local File Inclusion (LFI) vulnerability affecting the JetTabs for Elementor WordPress plugin. This vulnerability allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary files on the server, potentially leading to code execution. The vulnerability impacts versions of the plugin up to and including 2.2.3. A fix is available in a later version of the plugin.
The impact of this vulnerability is significant due to its potential for code execution. An attacker who can exploit this LFI can upload seemingly harmless files (like images) and then include them in a way that executes arbitrary PHP code. This could allow them to bypass access controls, steal sensitive data stored on the server, or even gain complete control of the WordPress site. The ability to execute arbitrary code opens the door to a wide range of malicious activities, including defacement, data breaches, and the installation of backdoors. The attacker's access level requirement (Contributor or higher) is relatively low, making a large number of WordPress users potentially vulnerable.
CVE-2024-7146 was publicly disclosed on August 16, 2024. There is currently no indication of active exploitation in the wild, but the availability of a public vulnerability description and the relatively low access requirements increase the likelihood of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the ease of exploitation once a malicious file is uploaded.
Exploit Status
EPSS
0.37% (59% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-7146 is to upgrade the JetTabs for Elementor plugin to a version that contains the fix. If upgrading immediately is not possible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These could include restricting file upload permissions to prevent attackers from uploading malicious files, or implementing stricter input validation on the 'switcher_preset' parameter to prevent it from being used to include arbitrary files. Monitor WordPress access logs for suspicious activity, particularly attempts to access unusual file paths. After upgrading, confirm the vulnerability is resolved by attempting to access a non-existent PHP file through the vulnerable parameter and verifying that it results in a 404 error.
Actualice el plugin JetTabs for Elementor a la última versión disponible. La vulnerabilidad se encuentra en versiones anteriores a la más reciente. La actualización corregirá la vulnerabilidad de inclusión de archivos locales.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-7146 is a Local File Inclusion vulnerability in the JetTabs for Elementor plugin, allowing authenticated attackers to execute arbitrary PHP code.
You are affected if you are using JetTabs for Elementor version 2.2.3 or earlier and have users with Contributor access or higher.
Upgrade the JetTabs for Elementor plugin to the latest available version that contains the fix. Consider temporary workarounds if immediate upgrade is not possible.
There is currently no confirmed active exploitation, but the vulnerability is publicly known and could be exploited.
Refer to the JetTabs for Elementor plugin documentation and website for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.