2.6.21
CVE-2024-7145 is a Local File Inclusion (LFI) vulnerability affecting the JetElements plugin for WordPress. This vulnerability allows authenticated attackers, with Contributor-level access or higher, to include and execute arbitrary files on the server. The vulnerability impacts versions up to and including 2.6.20 and can lead to sensitive data exposure or complete code execution. A fix is available in a later version of the plugin.
The impact of CVE-2024-7145 is significant due to the potential for remote code execution (RCE). An attacker who can successfully exploit this vulnerability can upload a malicious image or other file type, then use the 'progress_type' parameter to include and execute it. This effectively bypasses access controls and allows the attacker to run arbitrary PHP code on the server. The attacker could then steal sensitive data, modify website content, install malware, or even gain complete control of the WordPress instance. This vulnerability shares similarities with other LFI exploits where file inclusion is leveraged to execute malicious code.
CVE-2024-7145 was publicly disclosed on August 16, 2024. There is currently no indication of active exploitation in the wild, but the availability of a public proof-of-concept could change this. The vulnerability is not currently listed on the CISA KEV catalog. The relatively low barrier to entry (requiring only Contributor-level access) makes it a potential target for opportunistic attackers.
WordPress websites using the JetElements plugin, particularly those with multiple users having Contributor-level access or higher, are at risk. Shared hosting environments where users have limited control over file permissions are also particularly vulnerable. Sites using older, unpatched versions of the plugin are most susceptible to exploitation.
• wordpress / composer / npm:
grep -r 'progress_type' /var/www/html/wp-content/plugins/jet-elements/• wordpress / composer / npm:
wp plugin list --status=all | grep jet-elements• wordpress / composer / npm:
find /var/www/html/wp-content/uploads/ -type f -name '*.php'disclosure
漏洞利用状态
EPSS
0.57% (69% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-7145 is to upgrade the JetElements plugin to a version that addresses the vulnerability. If upgrading is not immediately possible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting file upload permissions and carefully reviewing all uploaded files for malicious content. Web Application Firewall (WAF) rules can be configured to block requests containing suspicious characters in the 'progress_type' parameter. Monitor WordPress logs for unusual file access patterns or PHP execution errors.
Actualice el plugin JetElements a la última versión disponible. Esto solucionará la vulnerabilidad de inclusión de archivos locales.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-7145 is a Local File Inclusion vulnerability in the JetElements WordPress plugin, allowing authenticated users to execute arbitrary PHP code. It affects versions up to 2.6.20 and poses a significant security risk.
You are affected if your WordPress site uses the JetElements plugin and is running version 2.6.20 or earlier. Check your plugin version and upgrade immediately if necessary.
Upgrade the JetElements plugin to the latest available version. If upgrading is not possible, implement temporary workarounds like restricting file upload permissions and WAF rules.
There is currently no confirmed active exploitation of CVE-2024-7145, but the availability of a proof-of-concept makes it a potential target.
Refer to the official JetElements plugin website or their support channels for the latest advisory and updates regarding CVE-2024-7145.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。