Plus Addons LFI magazine_style 5.5.4: CVE-2024-5455 June 2024

The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 5.5.6 - Authenticated (Contributor+) Local File Inclusion
The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.5.4 via the 'magazine_style' parameter within the Dynamic Smart Showcase widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other safe file types can be uploaded and included.

Timeline

Weakness Type

What is a Remote file include Vulnerability?

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the software will obtain the code to execute. In other cases in association with path traversal, the attacker can specify a local file that may contain executable statements that can be parsed by PHP.

CVE-2024-5455 has been classified to as a Remote file include vulnerability or weakness.

Products Associated with CVE-2024-5455

stack.watch emails you whenever new vulnerabilities are published in Posimyth The Plus Addons For Elementor or WordPress Plus Addon Elementor Page Builder. Just hit a watch button to start following.

Affected Versions

Exploit Probability

EPSS

0.39%

Percentile

59.82%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.