Arbitrary File Read Vulnerability in Elementor Addons

CVE-2024-4359

6.5MEDIUM

Key Information

Vendor: Bdthemes
Status: Element Pack Elementor Addons (header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)
Vendor: CVE Published:; 12 August 2024

Summary

The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 5.7.2 via the SVG widget and a lack of sufficient file validation in the render_svg function. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

Affected Version(s)

Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) <= 5.7.2

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Aug 12, 2024
Disclosed
Aug 8, 2024
Vulnerability Reserved.
Apr 30, 2024

Collectors

NVD DatabaseMitre Database

Credit

Craig Smith