Platform
wordpress
Component
wpzoom-elementor-addons
Opgelost in
1.1.38
CVE-2024-5147 represents a critical Local File Inclusion (LFI) vulnerability affecting the WPZOOM Addons for Elementor (Templates, Widgets) plugin for WordPress. This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to complete system compromise. The vulnerability impacts versions of the plugin up to and including 1.1.37. A fix is available in a later version of the plugin.
The impact of CVE-2024-5147 is severe. An attacker exploiting this LFI vulnerability can execute arbitrary PHP code on the WordPress server. This allows them to bypass access controls, steal sensitive data (including database credentials, user information, and potentially even the entire WordPress installation), and potentially gain full control of the web server. The ability to execute arbitrary code means the attacker can install backdoors, deface the website, or use the server as a launchpad for further attacks. The lack of authentication required to exploit the vulnerability significantly increases the risk, as any unauthenticated user can attempt to exploit it.
CVE-2024-5147 was publicly disclosed on May 22, 2024. While no active exploitation campaigns have been definitively confirmed, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature and severity.
Websites using the WPZOOM Addons for Elementor plugin, particularly those running older versions (≤1.1.37), are at significant risk. Shared hosting environments are especially vulnerable, as a compromised website on one account can potentially be used to attack other websites on the same server. WordPress installations with default or weak security configurations are also at higher risk.
• wordpress / composer / npm:
grep -r 'grid_style' /var/www/html/wp-content/plugins/wpzoom-addons-for-elementor/• wordpress / composer / npm:
wp plugin list --status=all | grep wpzoom-addons-for-elementor• wordpress / composer / npm:
curl -I http://your-wordpress-site.com/wp-content/plugins/wpzoom-addons-for-elementor/ | grep -i 'grid_style'disclosure
Exploit Status
EPSS
0.76% (73% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-5147 is to immediately upgrade the WPZOOM Addons for Elementor plugin to a version that addresses the vulnerability. If upgrading is not immediately possible due to compatibility issues or breaking changes, consider temporarily restricting access to the affected parameter ('gridstyle') using a WordPress security plugin or by modifying the plugin's code (advanced users only). Web Application Firewalls (WAFs) can be configured to block requests containing suspicious patterns in the 'gridstyle' parameter. Monitor WordPress logs for unusual file inclusion attempts, specifically targeting the 'grid_style' parameter.
Werk de WPZOOM Addons for Elementor (Templates, Widgets) plugin bij naar de laatste beschikbare versie. Dit zal de kwetsbaarheid voor lokale bestand inclusie oplossen en uw website beschermen tegen mogelijke aanvallen.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-5147 is a critical Local File Inclusion (LFI) vulnerability in the WPZOOM Addons for Elementor plugin, allowing attackers to execute arbitrary code on the server.
You are affected if you are using WPZOOM Addons for Elementor version 1.1.37 or earlier. Immediately check your plugin version and upgrade if necessary.
Upgrade the WPZOOM Addons for Elementor plugin to the latest available version. If immediate upgrade is not possible, consider temporary workarounds like restricting access to the 'grid_style' parameter.
While no confirmed active exploitation campaigns are currently known, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation.
Refer to the WPZOOM website and WordPress plugin repository for the latest advisory and update information regarding CVE-2024-5147.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.