CVE-2024-3500 in ElementsKit Pro Plugin
Summary
by MITRE • 05/02/2024
The ElementsKit Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.0 via the Price Menu, Hotspot, and Advanced Toggle widgets. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/09/2025
The ElementsKit Pro plugin for WordPress presents a critical local file inclusion vulnerability that affects all versions up to and including 3.6.0. This security flaw specifically impacts three widgets within the plugin: Price Menu, Hotspot, and Advanced Toggle. The vulnerability stems from insufficient input validation and sanitization mechanisms that fail to properly restrict file paths submitted by users. Attackers with contributor-level access or higher can exploit this weakness to include arbitrary files from the server filesystem, potentially leading to complete system compromise.
The technical nature of this vulnerability places it within the CWE-22 category, which addresses improper limitation of a pathname to a restricted directory, commonly known as path traversal attacks. This flaw allows authenticated attackers to manipulate file inclusion parameters and gain access to sensitive files that should remain protected. The vulnerability operates by accepting user-supplied input that is directly used in file inclusion functions without proper validation, creating a direct path for code execution. When combined with the ability to upload seemingly safe file types such as images, attackers can upload malicious files and subsequently include them through the vulnerable widgets.
The operational impact of this vulnerability extends far beyond simple code execution capabilities. An attacker with contributor privileges can bypass access controls, escalate privileges, and potentially obtain sensitive data from the WordPress installation. The ability to execute arbitrary PHP code through file inclusion means that attackers can perform actions such as creating new administrator accounts, modifying database content, stealing user credentials, or deploying backdoors. The vulnerability is particularly concerning because it requires only contributor-level access, which is often granted to trusted users who should not have the ability to compromise the entire system.
Mitigation strategies for this vulnerability should focus on immediate remediation through plugin updates to versions that address the file inclusion flaw. System administrators should implement strict access controls and monitor user activities for suspicious file uploads or widget modifications. The principle of least privilege should be enforced, limiting contributor-level access to only necessary functionality. Additionally, implementing web application firewalls and input validation mechanisms can provide additional protection layers. Organizations should also conduct regular security assessments of their WordPress installations and maintain updated security monitoring tools to detect potential exploitation attempts. The vulnerability demonstrates the importance of proper input validation and the dangerous consequences of insufficient access controls in web applications, aligning with ATT&CK techniques related to privilege escalation and persistence mechanisms.