Arbitrary File Inclusion Vulnerability in Responsive Owl Carousel for Elementor
CVE-2024-5345

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Responsive Owl Carousel For Elementor
Vendor: CVE Published:; 31 May 2024

Summary

The Responsive Owl Carousel for Elementor plugin for WordPress is vulnerable to Local File Inclusion (LFI) in all versions up to and including 1.2.0 through the layout parameter. This vulnerability permits authenticated attackers with Contributor-level access or higher to include and execute arbitrary files on the server. The exploitation of this vulnerability enables the execution of PHP code contained in the included files, which can lead to bypassing access controls, accessing sensitive data, or achieving unauthorized code execution, particularly through the upload and inclusion of files masquerading as safe images and other file types. The vulnerability is particularly concerning as it is limited to PHP files that can be executed on the server.

Affected Version(s)

Responsive Owl Carousel for Elementor * <= 1.2.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/responsive-owl...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 31, 2024
Vulnerability Reserved
May 24, 2024

Credit

Matthew Rollings