CVE-2024-5153 Information

Jun 07, 2024 cve

Description

The Startklar Elementor Addons plugin for WordPress is vulnerable to Directory Traversal in all versions up to and including 1.7.15 via the ‘dropzone_hash’ parameter. This makes it possible for unauthenticated attackers to copy the contents of arbitrary files on the server which can contain sensitive information and to delete arbitrary directories including the root WordPress directory.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Reference

https://www.wordfence.com/threat-intel/vulnerabilities/id/baa20290-9c01-4f8d-adeb-fbfb15b9d6a9?source=cve https://plugins.trac.wordpress.org/browser/startklar-elmentor-forms-extwidgets/trunk/widgets/dropzone_form_field.php#L334

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

HIGH

Base Severity

9.1

Share on: