JetElements Plugin Vulnerable to Local File Inclusion Attacks
CVE-2024-7145

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Jetelements
Vendor: CVE Published:; 16 August 2024

Summary

The JetElements plugin for WordPress contains a Local File Inclusion vulnerability due to inadequate validation of the 'progress_type' parameter. This flaw is present in all versions up to and including 2.6.20. It allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary files on the server. This capability could potentially lead to the execution of PHP code contained in those files, bypass access controls, and expose sensitive data. The risk is particularly pronounced in scenarios where attackers can upload what appear to be harmless files, such as images.

Affected Version(s)

JetElements * <= 2.6.20

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://crocoblock.com/plugins/jetelements/

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 16, 2024
Vulnerability Reserved
Jul 26, 2024

Credit

Matthew Rollings