CVE-2024-37497 – WordPress JetThemeCore plugin < 2.2.1 - Subscriber+ Arbitrary File Deletion vulnerability

https://notcve.org/view.php?id=CVE-2024-37497

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Crocoblock JetThemeCore allows File Manipulation.This issue affects JetThemeCore: from n/a before 2.2.1. Vulnerabilidad de limitación inadecuada de un nombre de ruta a un directorio restringido ("Path Traversal") en Crocoblock JetThemeCore permite la manipulación de archivos. Este problema afecta a JetThemeCore: desde n/a antes de 2.2.1. The JetThemeCore for Elementor plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the write file is deleted (such as wp-config.php). • https://patchstack.com/database/vulnerability/jet-theme-core/wordpress-jetthemecore-plugin-2-2-1-subscriber-arbitrary-file-deletion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •