Platform
wordpress
Component
pdf-generator-addon-for-elementor-page-builder
Fixed in
1.7.6
CVE-2024-9935 is a critical vulnerability classified as Arbitrary File Access affecting the PDF Generator Addon for Elementor Page Builder plugin in WordPress. This flaw allows unauthenticated attackers to read arbitrary files on the server, potentially exposing sensitive information such as configuration files, database credentials, or source code. The vulnerability impacts versions of the plugin up to and including 1.7.5. A patch is available to resolve this issue.
The Arbitrary File Access vulnerability in the PDF Generator Addon poses a significant risk to WordPress websites using this plugin. An attacker could exploit this flaw to read any file accessible by the web server process. This includes potentially sensitive files such as .env files containing database credentials, configuration files with API keys, or even parts of the WordPress core files. Successful exploitation could lead to complete compromise of the web server, data exfiltration, and further malicious activity. The lack of authentication required for exploitation significantly broadens the attack surface.
CVE-2024-9935 was publicly disclosed on November 16, 2024. There is currently no indication of active exploitation in the wild, but the ease of exploitation and the lack of authentication requirements suggest a high probability of exploitation if the vulnerability remains unpatched. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the simplicity of the attack vector.
Exploit Status
EPSS
93.62% (100% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-9935 is to immediately upgrade the PDF Generator Addon for Elementor Page Builder plugin to a version higher than 1.7.5. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests to the rtwpgaepbdwnld_pdf() function. Additionally, restrict file permissions on the server to minimize the potential impact of a successful exploit. Monitor web server access logs for suspicious requests targeting file paths outside of the expected plugin directory. After upgrading, confirm the fix by attempting to access a sensitive file via the vulnerable endpoint and verifying that access is denied.
Actualice el plugin PDF Generator Addon for Elementor Page Builder a la última versión disponible. Esto solucionará la vulnerabilidad de path traversal que permite la descarga de archivos arbitrarios sin autenticación.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-9935 is a vulnerability allowing unauthenticated attackers to read arbitrary files on a WordPress server using the PDF Generator Addon for Elementor Page Builder plugin, impacting versions up to 1.7.5.
You are affected if your WordPress site uses the PDF Generator Addon for Elementor Page Builder plugin in a version equal to or lower than 1.7.5.
Upgrade the PDF Generator Addon for Elementor Page Builder plugin to a version higher than 1.7.5. Consider a WAF rule as a temporary workaround if immediate upgrade is not possible.
There is currently no confirmed active exploitation, but the ease of exploitation suggests a high probability if unpatched.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and updated version.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.