Arbitrary Location Query Vulnerability in ElementsKit PRO Plugin

CVE-2024-4404

8.5HIGH

Key Information

Vendor: WPmet
Status: Elementskit Pro
Vendor: CVE Published:; 14 June 2024

Summary

The ElementsKit PRO plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.6.2 via the 'render_raw' function. This can allow authenticated attackers, with contributor-level permissions and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Affected Version(s)

ElementsKit Pro <= 3.6.2

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published.
Jun 14, 2024
Disclosed
Jun 13, 2024
Vulnerability Reserved.
May 1, 2024

Collectors

NVD DatabaseMitre Database

Credit

Ngô Thiên An