Plateforme
wordpress
Composant
wpzoom-elementor-addons
Corrigé dans
1.1.38
CVE-2024-5147 represents a critical Local File Inclusion (LFI) vulnerability affecting the WPZOOM Addons for Elementor (Templates, Widgets) plugin for WordPress. This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to complete system compromise. The vulnerability impacts versions of the plugin up to and including 1.1.37. A fix is available in a later version of the plugin.
The impact of CVE-2024-5147 is severe. An attacker exploiting this LFI vulnerability can execute arbitrary PHP code on the WordPress server. This allows them to bypass access controls, steal sensitive data (including database credentials, user information, and potentially even the entire WordPress installation), and potentially gain full control of the web server. The ability to execute arbitrary code means the attacker can install backdoors, deface the website, or use the server as a launchpad for further attacks. The lack of authentication required to exploit the vulnerability significantly increases the risk, as any unauthenticated user can attempt to exploit it.
CVE-2024-5147 was publicly disclosed on May 22, 2024. While no active exploitation campaigns have been definitively confirmed, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature and severity.
Websites using the WPZOOM Addons for Elementor plugin, particularly those running older versions (≤1.1.37), are at significant risk. Shared hosting environments are especially vulnerable, as a compromised website on one account can potentially be used to attack other websites on the same server. WordPress installations with default or weak security configurations are also at higher risk.
• wordpress / composer / npm:
grep -r 'grid_style' /var/www/html/wp-content/plugins/wpzoom-addons-for-elementor/• wordpress / composer / npm:
wp plugin list --status=all | grep wpzoom-addons-for-elementor• wordpress / composer / npm:
curl -I http://your-wordpress-site.com/wp-content/plugins/wpzoom-addons-for-elementor/ | grep -i 'grid_style'disclosure
Statut de l'Exploit
EPSS
0.76% (percentile 73%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-5147 is to immediately upgrade the WPZOOM Addons for Elementor plugin to a version that addresses the vulnerability. If upgrading is not immediately possible due to compatibility issues or breaking changes, consider temporarily restricting access to the affected parameter ('gridstyle') using a WordPress security plugin or by modifying the plugin's code (advanced users only). Web Application Firewalls (WAFs) can be configured to block requests containing suspicious patterns in the 'gridstyle' parameter. Monitor WordPress logs for unusual file inclusion attempts, specifically targeting the 'grid_style' parameter.
Mettez à jour le plugin WPZOOM Addons for Elementor (Templates, Widgets) vers la dernière version disponible. Cela corrigera la vulnérabilité d'inclusion de fichiers locaux et protégera votre site web contre d'éventuelles attaques.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-5147 is a critical Local File Inclusion (LFI) vulnerability in the WPZOOM Addons for Elementor plugin, allowing attackers to execute arbitrary code on the server.
You are affected if you are using WPZOOM Addons for Elementor version 1.1.37 or earlier. Immediately check your plugin version and upgrade if necessary.
Upgrade the WPZOOM Addons for Elementor plugin to the latest available version. If immediate upgrade is not possible, consider temporary workarounds like restricting access to the 'grid_style' parameter.
While no confirmed active exploitation campaigns are currently known, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation.
Refer to the WPZOOM website and WordPress plugin repository for the latest advisory and update information regarding CVE-2024-5147.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.