CVE-2024-3500

CVSS 3.1 Score 8.8 of 10 (high)

Details

Published May 2, 2024

CWE ID 352

Summary

CVE-2024-3500 is a vulnerability affecting the ElementsKit Pro plugin for WordPress. This issue, present in versions up to 3.6.0, enables authenticated attackers with contributor-level access or higher to perform Local File Inclusion through the Price Menu, Hotspot, and Advanced Toggle widgets. By exploiting this vulnerability, adversaries can execute arbitrary PHP code in included files, leading to potential data breaches, code execution, and access control bypasses. The vulnerability poses a significant risk, especially when dealing with files that are typically considered safe for upload, such as images.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

https://app.recordedfuture.com/live/sc/entity/v2Bpm2
https://www.cve.org/CVERecord?id=CVE-2024-3500
https://nvd.nist.gov/vuln/detail/CVE-2024-3500

Back to Vulnerability Database

CVE-2024-3500

CVSS 3.1 Score 8.8 of 10 (high)

Details

Summary

Advisories, Assessments, and Mitigations