Local File Inclusion Vulnerability in LA-Studio Element Kit for Elementor Plugin
CVE-2024-5349

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Element Kit For Elementor
Vendor: CVE Published:; 2 July 2024

Summary

The LA-Studio Element Kit for Elementor plugin for WordPress is susceptible to Local File Inclusion (LFI) vulnerabilities in all versions up to and including 1.3.8.1. The vulnerability arises from improper handling of the 'map_style' parameter, allowing authenticated users with Contributor-level access or higher to include and execute arbitrary files on the server. This exploitation opens the door to code execution by leveraging scripts that can be uploaded under the guise of typical file types like images. Consequently, attackers may bypass access controls, access sensitive information, and compromise the site's security.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3108501/last...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 2, 2024