FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-49243

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') (CWE-98)

Published: Oct 18, 2024 / Updated: 32d ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

An Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability has been identified in Jon Vincent Mendoza Dynamic Elementor Addons. This vulnerability allows for PHP Local File Inclusion, affecting versions of Dynamic Elementor Addons up to and including 1.0.0.

Impact

This vulnerability has a high severity with a CVSS v3.1 base score of 8.8. It can be exploited remotely over the network, requires low privileges, and does not need user interaction. The potential impact is severe, with high risks to confidentiality, integrity, and availability of the affected system. Attackers could potentially execute arbitrary code, access sensitive information, or cause system disruptions by including malicious local files.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is not explicitly mentioned in the provided information. However, given that the vulnerability affects Dynamic Elementor Addons versions up to 1.0.0, it is likely that an updated version addressing this issue may be available or in development.

Mitigation

To mitigate this vulnerability: 1. Update Dynamic Elementor Addons to a version newer than 1.0.0 if available. 2. Implement strict input validation and sanitization for all user-supplied input, especially those used in file inclusion operations. 3. Use allow-lists for permitted file inclusions rather than block-lists. 4. Employ the principle of least privilege in PHP configurations and file system permissions. 5. Consider using Web Application Firewalls (WAF) to detect and block potential PHP remote file inclusion attempts. 6. Regularly audit and monitor system logs for any suspicious file inclusion activities.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-49243

Oct 18, 2024 at 10:15 AM
CVSS

A CVSS base score of 7.5 has been assigned.

Oct 18, 2024 at 10:20 AM / nvd
First Article

Feedly found the first article mentioning CVE-2024-49243. See article

Oct 18, 2024 at 10:24 AM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 18, 2024 at 10:24 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 19, 2024 at 9:48 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Oct 22, 2024 at 2:12 PM / nvd
Static CVE Timeline Graph

Affected Systems

Jonvincentmendoza/dynamic_elementor_addons
+null more

Links to Mitre Att&cks

T1055: Process Injection
+null more

Attack Patterns

CAPEC-193: PHP Remote File Inclusion
+null more

News

Wordfence Intelligence Weekly WordPress Vulnerability Report (October 14, 2024 to October 20, 2024)
Blog - Wordfence / 26d
The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week: WordPress Plugins with Reported Vulnerabilities Last Week
CVE Alert: CVE-2024-49243 - https://www.redpacketsecurity.com/cve_alert_cve-2024-49243/ #OSINT #ThreatIntel #CyberSecurity #cve_2024_49243
RedPacket Security / @RedPacketSec / 31d
CVE Alert: CVE-2024-49243 - redpacketsecurity.com/cve_al… #OSINT #ThreatIntel #CyberSecurity #cve_2024_49243
CVE Alert: CVE-2024-49243
RedPacket Security / 31d
Everyone that supports the site helps enable new functionality. Affected Endpoints:
CVE-2024-49243
Newest CVEs from Tenable / 32d
High Severity Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Jon Vincent Mendoza Dynamic Elementor Addons allows PHP Local File Inclusion.This issue affects Dynamic Elementor Addons: from n/a through 1.0.0. Read more at https://www.tenable.com/cve/CVE-2024-49243
NA - CVE-2024-49243 - Improper Control of Filename for...
Security-Database Alerts Monitor : Last 100 Alerts / 32d
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Jon Vincent Mendoza Dynamic Elementor Addons allows PHP Local File...
See 7 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

CVSS 8.8(18246)CWE-98(62)CWE-829(143)Jonvincentmendoza()

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial