平台
wordpress
组件
consulting-elementor-widgets
修复版本
1.3.1
CVE-2024-37089 is a critical Path Traversal vulnerability affecting Consulting Elementor Widgets versions up to 1.3.0. This vulnerability allows an attacker to include arbitrary files on the server, potentially leading to sensitive data exposure or even remote code execution. The vulnerability has been published on 2024-06-24 and a fix is available in version 1.3.1.
The Path Traversal vulnerability in Consulting Elementor Widgets allows attackers to bypass intended security restrictions and access files outside of the intended directory. By manipulating file paths, an attacker can include arbitrary files from the server's filesystem. This could lead to the exposure of sensitive configuration files, database credentials, or even source code. In a worst-case scenario, if the attacker can include a PHP file containing malicious code, they could achieve remote code execution, effectively gaining full control of the WordPress site. This is particularly concerning given the popularity of Elementor and the potential for widespread exploitation.
CVE-2024-37089 is currently considered high risk due to its critical CVSS score and the ease with which path traversal vulnerabilities can be exploited. While no public exploits have been widely reported, the availability of the vulnerability and its potential impact make it a prime target for attackers. The vulnerability was disclosed on 2024-06-24 and added to the CISA KEV catalog is pending. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
WordPress websites using the Consulting Elementor Widgets plugin, particularly those running versions prior to 1.3.1, are at significant risk. Shared hosting environments are especially vulnerable as they often have limited access controls and a higher concentration of vulnerable plugins. Sites with weak file permissions or inadequate WAF protection are also at increased risk.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/consulting-elementor-widgets/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/consulting-elementor-widgets/../../../../etc/passwd• wordpress / composer / npm:
wp plugin list --status=inactive | grep consulting-elementor-widgetsdisclosure
patch
漏洞利用状态
EPSS
0.97% (77% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-37089 is to immediately upgrade Consulting Elementor Widgets to version 1.3.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These might include restricting file access permissions on the server, using a Web Application Firewall (WAF) to filter out malicious requests containing path traversal attempts, or implementing input validation to sanitize user-supplied file paths. Regularly scan your WordPress installation for vulnerable plugins using security plugins or vulnerability scanners.
将 Consulting Elementor Widgets 插件更新到最新可用版本。未经身份验证的本地文件包含漏洞已在 1.3.0 之后的版本中修复。请参阅插件的更新日志以获取有关修复的更多详细信息。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-37089 is a critical vulnerability in Consulting Elementor Widgets allowing attackers to include arbitrary files via path traversal, potentially exposing sensitive data or enabling remote code execution.
You are affected if you are using Consulting Elementor Widgets version 1.3.0 or earlier. Check your plugin version and upgrade immediately.
Upgrade Consulting Elementor Widgets to version 1.3.1 or later. If immediate upgrade is not possible, implement temporary workarounds like WAF rules or file permission restrictions.
While no widespread exploitation has been confirmed, the vulnerability's severity and ease of exploitation make it a likely target. Monitor security advisories for updates.
Refer to the official StylemixThemes website and WordPress plugin repository for the latest advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。