Limited Local PHP File Inclusion Vulnerability in WPBakery Page Builder
CVE-2024-11952

7.5HIGH

Key Information:

Vendor: Wordpress
Vendor: CVE Published:; 4 December 2024

What is CVE-2024-11952?

The Classic Addons – WPBakery Page Builder plugin for WordPress has a Local PHP File Inclusion vulnerability that affects all versions up to and including 3.0. The flaw exists due to insufficient validation of the 'style' parameter, which allows authenticated attackers, possessing Contributor-level access or higher, to include and execute arbitrary PHP files located on the server. This exploitation can enable attackers to evade access controls, extract sensitive information, or execute malicious PHP code when images or other permitted file types are uploaded. The vulnerability specifically impacts installations running in a Windows environment.

References

https://plugins.trac.wordpress.org/browser/classic-addons...

https://www.wordfence.com/threat-intel/vulnerabilities/id...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 4, 2024

Wordpress

What is CVE-2024-11952?

References

CVSS V3.1

Timeline