The Startklar Elementor Addons plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.7.15 via the 'dropzone_hash' parameter. This makes it possible for unauthenticated attackers to copy the contents of arbitrary files on the server, which can contain sensitive information, and to delete arbitrary directories, including the root WordPress directory.
References
Configurations
History
21 Nov 2024, 09:47
Type | Values Removed | Values Added |
---|---|---|
References | () https://plugins.trac.wordpress.org/browser/startklar-elmentor-forms-extwidgets/trunk/widgets/dropzone_form_field.php#L334 - Patch | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/baa20290-9c01-4f8d-adeb-fbfb15b9d6a9?source=cve - Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.1 |
24 Jul 2024, 17:56
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-22 | |
First Time |
Web-shop-host startklar Elmentor Addons
Web-shop-host |
|
CPE | cpe:2.3:a:web-shop-host:startklar_elmentor_addons:*:*:*:*:*:wordpress:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
References | () https://plugins.trac.wordpress.org/browser/startklar-elmentor-forms-extwidgets/trunk/widgets/dropzone_form_field.php#L334 - Patch | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/baa20290-9c01-4f8d-adeb-fbfb15b9d6a9?source=cve - Third Party Advisory |
06 Jun 2024, 14:17
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
06 Jun 2024, 04:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-06-06 04:15
Updated : 2024-11-21 09:47
NVD link : CVE-2024-5153
Mitre link : CVE-2024-5153
CVE.ORG link : CVE-2024-5153
JSON object : View
Products Affected
web-shop-host
- startklar_elmentor_addons
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')