HoliThemes Click to Chat Vulnerable to Local File Inclusion
CVE-2024-3849

8.8HIGH

Key Information:

Vendor
Wordpress
Status
Click To Chat – Holithemes
Vendor
CVE Published:
2 May 2024

Summary

The Click to Chat – HoliThemes plugin for WordPress has a security flaw that allows authenticated users with contributor access or higher to exploit Local File Inclusion vulnerabilities. This flaw enables attackers to include and execute arbitrary files stored on the server. Potential outcomes include unauthorized code execution and bypassing of access control measures, which could compromise sensitive information. Given that attackers can manipulate file uploads, even images may serve as vectors for executing harmful PHP code. The vulnerability thus poses a significant risk to users of the affected plugin versions.

Affected Version(s)

Click to Chat – HoliThemes * <= 3.35

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/click-to-chat-...
https://plugins.trac.wordpress.org/browser/click-to-chat-...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

haidv35
.