CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37437 – WordPress Elementor Website Builder plugin <= 3.22.1 - Arbitrary SVG File Download vulnerability
https://notcve.org/view.php?id=CVE-2024-37437
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Elementor Elementor Website Builder allows Cross-Site Scripting (XSS), Stored XSS.This issue affects Elementor Website Builder: from n/a through 3.22.1. La limitación inadecuada de un nombre de ruta a una vulnerabilidad de directorio restringido ("Path Traversal") en Elementor Elementor Website Builder permite Cross-Site Scripting (XSS), XSS almacenado. Este problema afecta a Elementor Website Builder: desde n/a hasta 3.22.1. The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to arbitrary SVG file download in all versions up to, and including, 3.22.1. This is due to the plugin not properly restricting access to files. • https://patchstack.com/database/vulnerability/elementor/wordpress-elementor-website-builder-more-than-just-a-page-builder-plugin-3-22-1-arbitrary-file-download-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24934 – WordPress Elementor plugin <= 3.19.0 - Arbitrary File Deletion and Phar Deserialization vulnerability
https://notcve.org/view.php?id=CVE-2024-24934
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Elementor Elementor Website Builder allows Manipulating Web Input to File System Calls.This issue affects Elementor Website Builder: from n/a through 3.19.0. La limitación incorrecta de un nombre de ruta a una vulnerabilidad de directorio restringido ("Path Traversal") en Elementor Elementor Website Builder permite manipular la entrada web en llamadas al sistema de archivos. Este problema afecta a Elementor Website Builder: desde n/a hasta 3.19.0. The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to arbitrary file deletions and PHAR deserialization in version up to, and including 3.19.0. This is due to the plugin not providing sufficient path validation on the 'tmp_name' parameter . • https://patchstack.com/database/vulnerability/elementor/wordpress-elementor-plugin-3-19-0-arbitrary-file-deletion-and-phar-deserialization-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-47504 – WordPress Elementor plugin <= 3.16.4 - Auth. Arbitrary Attachment Read vulnerability
https://notcve.org/view.php?id=CVE-2023-47504
Improper Authentication vulnerability in Elementor Elementor Website Builder allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Elementor Website Builder: from n/a through 3.16.4. Vulnerabilidad de autenticación incorrecta en Elementor Elementor Website Builder permite acceder a funciones no restringidas adecuadamente por las ACL. Este problema afecta a Elementor Website Builder: desde n/a hasta 3.16.4. The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_inline_svg function in all versions up to, and including, 3.16.4. This makes it possible for authenticated attackers, with contributor-level access and above, to read arbitrary attachment files. • https://github.com/davidxbors/CVE-2023-47504-POC https://patchstack.com/database/vulnerability/elementor/wordpress-elementor-plugin-3-16-4-contributor-arbitrary-attachment-read-vulnerability?_s_id=cve • CWE-287: Improper Authentication CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33922 – WordPress Elementor plugin <= 3.13.2 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-33922
Missing Authorization vulnerability in Elementor Elementor Website Builder.This issue affects Elementor Website Builder: from n/a through 3.13.2. Vulnerabilidad de autorización faltante en Elementor Elementor Website Builder. Este problema afecta a Elementor Website Builder: desde n/a hasta 3.13.2. The Elementor plugin for WordPress is vulnerable to the creation of emergent resources due to insufficient input validation in the template "save_item" function in versions up to, and including, 3.13.3. This allows authenticated attackers, with contributor-level permissions or above, to create templates with an arbitrary post type, potentially allowing the exploitation of other plugins that depend on custom post types. • https://patchstack.com/database/vulnerability/elementor/wordpress-elementor-plugin-3-13-2-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization CWE-1229: Creation of Emergent Resource •