Plugin Vulnerability: Local File Inclusion in WPBakery Visual Composer
CVE-2024-5709

8.8HIGH

Key Information:

Vendor: Wordpress
Status: WPbakery Visual Composer
Vendor: CVE Published:; 6 August 2024

Summary

The WPBakery Visual Composer plugin for WordPress is exposed to a Local File Inclusion vulnerability impacting all versions up to and including 7.7. Exploitation of this vulnerability could allow authenticated attackers, specifically those with Author-level access or higher, to include arbitrary files on the server via the 'layout_name' parameter. Given that these attackers also possess post permissions granted by an Administrator, they can execute PHP code embedded in these files, potentially leading to unauthorized access, data leakage, and significant risks to the integrity of the website. This issue underscores the importance of maintaining up-to-date plugin versions and implementing strict user permissions.

Affected Version(s)

WPBakery Visual Composer * <= 7.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wpbakery.com/

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 6, 2024
Vulnerability Reserved
Jun 6, 2024

Credit

João Pedro Soares de Alcântara