CVE-2024-9935
Published: 16 November 2024
Summary
CVE-2024-9935 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The PDF Generator Addon for Elementor Page Builder plugin for WordPress is vulnerable to path traversal in all versions through 2.0.0. The flaw exists in the rtw_pgaepb_dwnld_pdf() function and is tracked as CWE-22, enabling unauthenticated remote attackers to read arbitrary server files. It carries a CVSS 3.1 score of 7.5 with network attack vector, low complexity, and high confidentiality impact; CVE-2025-24569 is noted as a possible duplicate.
Unauthenticated attackers can supply crafted requests to the vulnerable function and retrieve the contents of sensitive files such as configuration files, credentials, or other data stored on the WordPress server. No authentication or user interaction is required, and successful exploitation yields direct file disclosure without affecting integrity or availability.
The referenced WordPress plugin changeset and Wordfence advisory indicate that a fix has been published; site owners should update the PDF Generator Addon for Elementor Page Builder to the newest version. The EPSS score stands at 0.9382, reflecting substantial exploitation likelihood.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-50223
Vulnerability details
The PDF Generator Addon for Elementor Page Builder plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.0.0 via the rtw_pgaepb_dwnld_pdf() function. This makes it possible for unauthenticated attackers to read the contents of…
more
arbitrary files on the server, which can contain sensitive information. CVE-2025-24569 may be a duplicate of this issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.