CVE-2024-1358

EUVD-2024-17115
The Elementor Addon Elements plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.12.12 via the render function. This makes it possible for authenticated attackers, with contributor access or higher, to include the contents of arbitrary PHP files on the server, which may expose sensitive information.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 85%
Affected Products (NVD)
VendorProductVersion
webtechstreetelementor_addon_elements
𝑥
< 1.13
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
wpvibesanywhere_elementor
𝑥
≤ 1.12.12
ADP
Common Weakness Enumeration
References
https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.12.12/modules/shape-separator/widgets/shape-separator.php#L89
https://plugins.trac.wordpress.org/changeset/3037925/addon-elements-for-elementor-page-builder/trunk/modules/shape-separator/widgets/shape-separator.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/20cd3fff-0488-4bc2-961b-2427925e6a96?source=cve
https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.12.12/modules/shape-separator/widgets/shape-separator.php#L89
https://plugins.trac.wordpress.org/changeset/3037925/addon-elements-for-elementor-page-builder/trunk/modules/shape-separator/widgets/shape-separator.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/20cd3fff-0488-4bc2-961b-2427925e6a96?source=cve