Arbitrary File Upload Vulnerability in Startklar Elementor Addons Plugin for WordPress
CVE-2024-4345

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Startklar Elementor Addons
Vendor: CVE Published:; 7 May 2024

Summary

The Startklar Elementor Addons plugin for WordPress exposes a significant vulnerability that allows unauthenticated users to exploit insufficient file type validation in the 'process' function of the 'startklarDropZoneUploadProcess' class. This flaw enables attackers to upload arbitrary files to the server, potentially leading to remote code execution. Affected versions include those up to and including 1.7.13, necessitating immediate attention from site administrators to mitigate risks associated with unauthorized file uploads.

Affected Version(s)

Startklar Elementor Addons * <= 1.7.13

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/startklar-elme...

https://plugins.trac.wordpress.org/changeset/3081987/star...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 7, 2024
Vulnerability Reserved
Apr 30, 2024

Credit

István Márton