Arbitrary File Inclusion Vulnerability in ElementsKit Elementor Addons Plugin
CVE-2024-2047

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Elementskit Elementor Addons
Vendor: CVE Published:; 30 March 2024

Summary

The ElementsKit Elementor addons plugin for WordPress is affected by a Local File Inclusion vulnerability that allows authenticated users with contributor-level access and above to include and execute arbitrary files on the server. This flaw is found in all versions up to and including 3.0.6, specifically through the 'render_raw' function. By exploiting this vulnerability, attackers can bypass access controls, execute arbitrary PHP code, and potentially expose sensitive data. The ability to upload and include what are perceived as safe file types, like images, further exacerbates the risk, making it essential for users to secure their installations against this vulnerability.

Affected Version(s)

ElementsKit Elementor addons * <= 3.0.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/elementskit-li...

https://plugins.trac.wordpress.org/changeset/3054091/elem...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 30, 2024
Vulnerability Reserved
Feb 29, 2024

Credit

wesley