CVE-2024-5153
Published: 06 June 2024
Summary
CVE-2024-5153 is a critical-severity Path Traversal (CWE-22) vulnerability in Web-Shop-Host Startklar Elmentor Addons. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 9.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The Startklar Elementor Addons plugin for WordPress is affected by a directory traversal vulnerability (CWE-22) in all versions through 1.7.15. The flaw resides in the dropzone_form_field.php component and is triggered through the dropzone_hash parameter, allowing unauthorized reading of arbitrary file contents and deletion of arbitrary directories on the server, including the WordPress root. It carries a CVSS 3.1 score of 9.1 reflecting network-accessible attack complexity that is low with no privileges or user interaction required.
Unauthenticated remote attackers can exploit the issue to exfiltrate sensitive data from files anywhere on the filesystem and to remove directories at will, which may result in complete site destruction. The attack path is exposed directly through the plugin's form widget handling without any authentication gate.
Public references from Wordfence and the WordPress plugin tracker document the vulnerable code path but do not detail an available patch or specific mitigation steps beyond the standard practice of updating or disabling the plugin. The associated EPSS score remains flat at 0.0545 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-46405
Vulnerability details
The Startklar Elementor Addons plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.7.15 via the 'dropzone_hash' parameter. This makes it possible for unauthenticated attackers to copy the contents of arbitrary files on the…
more
server, which can contain sensitive information, and to delete arbitrary directories, including the root WordPress directory.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.