Arbitrary File Upload Vulnerability in Envolve Plugin for WordPress
CVE-2024-11617

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Envolve Plugin
Vendor: CVE Published:; 9 May 2025

What is CVE-2024-11617?

The Envolve Plugin for WordPress is susceptible to arbitrary file upload due to insufficient file type validation in the 'zetra_languageUpload' and 'zetra_fontsUpload' functions. This vulnerability affects all versions up to and including 1.0, allowing unprivileged attackers to potentially upload malicious files to the server, which may lead to unauthorized remote code execution. Website administrators must apply necessary patches and implement security measures to mitigate this risk.

Affected Version(s)

Envolve Plugin * <= 1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://themeforest.net/item/envolve-consulting-business-...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 9, 2025
Vulnerability Reserved
Nov 22, 2024

Credit

Friderika Baranyai