Cyber Resilience

CVE-2024-37520

Medium

Published: 09 July 2024

Published
09 July 2024
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0127 79.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-37520 is a medium-severity PHP Remote File Inclusion (CWE-98) vulnerability in Radiustheme Shopbuilder. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 20.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-37520 is a PHP Remote File Inclusion vulnerability (CWE-98) caused by improper control of filenames in include/require statements. It affects the ShopBuilder – Elementor WooCommerce Builder Addons plugin for WordPress in all versions through 2.1.12. The flaw carries a CVSS 3.1 score of 6.5 with network attack vector, low complexity, and low privileges required, resulting in high confidentiality impact without affecting integrity or availability.

An authenticated attacker with low-privileged access can supply a crafted filename to force inclusion of arbitrary local or remote files, enabling unauthorized reading of sensitive data on the server. Exploitation occurs over the network without user interaction and targets the plugin's file-handling logic in the affected WordPress installation.

Advisories published by Patchstack identify the issue as a local file inclusion vulnerability in the same plugin versions and provide the associated CVE details for remediation tracking.

The EPSS score rose materially from a low baseline to a peak of 0.0642 on 2026-04-02 before receding to the current value of 0.0127, indicating a period of increased exploitation interest after public disclosure.

EU & UK References

Vulnerability details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme ShopBuilder – Elementor WooCommerce Builder Addons shopbuilder.This issue affects ShopBuilder – Elementor WooCommerce Builder Addons: from n/a through <= 2.1.12.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

radiustheme
shopbuilder
≤ 2.1.13

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References