Arbitrary File Inclusion Vulnerability in Elementor Addons by Livemesh Plugin
CVE-2024-2385

8.8HIGH

Key Information:

Vendor
Wordpress
Status
Elementor Addons By Livemesh
Vendor
CVE Published:
4 July 2024

Summary

The Elementor Addons by Livemesh plugin for WordPress is susceptible to a Local File Inclusion vulnerability impacting all versions up to and including 8.3.7. This security flaw arises from the improper handling of the 'style' attribute within multiple widgets of the plugin. Authenticated attackers with contributor-level access or higher can leverage this vulnerability to include and execute arbitrary files on the server, which enables them to run any PHP code found in these files. The implications of this vulnerability include potential bypassing of access controls, unauthorized retrieval of sensitive information, and arbitrary code execution, particularly where users can upload images and other ostensibly safe file types.

Affected Version(s)

Elementor Addons by Livemesh * <= 8.3.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/addons-for-ele...
https://plugins.trac.wordpress.org/browser/addons-for-ele...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

wesley
.