Plataforma
wordpress
Componente
consulting-elementor-widgets
Corrigido em
1.3.1
CVE-2024-37089 is a critical Path Traversal vulnerability affecting Consulting Elementor Widgets versions up to 1.3.0. This vulnerability allows an attacker to include arbitrary files on the server, potentially leading to sensitive data exposure or even remote code execution. The vulnerability has been published on 2024-06-24 and a fix is available in version 1.3.1.
The Path Traversal vulnerability in Consulting Elementor Widgets allows attackers to bypass intended security restrictions and access files outside of the intended directory. By manipulating file paths, an attacker can include arbitrary files from the server's filesystem. This could lead to the exposure of sensitive configuration files, database credentials, or even source code. In a worst-case scenario, if the attacker can include a PHP file containing malicious code, they could achieve remote code execution, effectively gaining full control of the WordPress site. This is particularly concerning given the popularity of Elementor and the potential for widespread exploitation.
CVE-2024-37089 is currently considered high risk due to its critical CVSS score and the ease with which path traversal vulnerabilities can be exploited. While no public exploits have been widely reported, the availability of the vulnerability and its potential impact make it a prime target for attackers. The vulnerability was disclosed on 2024-06-24 and added to the CISA KEV catalog is pending. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
WordPress websites using the Consulting Elementor Widgets plugin, particularly those running versions prior to 1.3.1, are at significant risk. Shared hosting environments are especially vulnerable as they often have limited access controls and a higher concentration of vulnerable plugins. Sites with weak file permissions or inadequate WAF protection are also at increased risk.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/consulting-elementor-widgets/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/consulting-elementor-widgets/../../../../etc/passwd• wordpress / composer / npm:
wp plugin list --status=inactive | grep consulting-elementor-widgetsdisclosure
patch
Status do Exploit
EPSS
0.97% (percentil 77%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2024-37089 is to immediately upgrade Consulting Elementor Widgets to version 1.3.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These might include restricting file access permissions on the server, using a Web Application Firewall (WAF) to filter out malicious requests containing path traversal attempts, or implementing input validation to sanitize user-supplied file paths. Regularly scan your WordPress installation for vulnerable plugins using security plugins or vulnerability scanners.
Atualize o plugin Consulting Elementor Widgets para a última versão disponível. A vulnerabilidade de inclusão de arquivos locais não autenticada foi corrigida em versões posteriores à 1.3.0. Consulte o registro de alterações do plugin para obter mais detalhes sobre a correção.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-37089 is a critical vulnerability in Consulting Elementor Widgets allowing attackers to include arbitrary files via path traversal, potentially exposing sensitive data or enabling remote code execution.
You are affected if you are using Consulting Elementor Widgets version 1.3.0 or earlier. Check your plugin version and upgrade immediately.
Upgrade Consulting Elementor Widgets to version 1.3.1 or later. If immediate upgrade is not possible, implement temporary workarounds like WAF rules or file permission restrictions.
While no widespread exploitation has been confirmed, the vulnerability's severity and ease of exploitation make it a likely target. Monitor security advisories for updates.
Refer to the official StylemixThemes website and WordPress plugin repository for the latest advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.