CVE-2024-2210
published 2024-03-27CVE-2024-2210: The The Plus Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.4.1 via the Team Member…
PriorityP337medium6.4CVSS 3.1
AVNACLPRLUINSCCLILAN
EPSS
0.48%
38.0th percentile
The The Plus Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.4.1 via the Team Member Listing widget. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | microsoft_edge | — | — |
| msrc | microsoft_edge_extended_stable | — | — |
| posimyth | the_plus_addons_for_elementor | < 5.4.2 | 5.4.2 |
CVSS provenance
nvdv3.16.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rchp-3crp-r2v7: The The Plus Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5
ghsa_unreviewed·2024-03-27
CVE-2024-2210 [MEDIUM] CWE-22 GHSA-rchp-3crp-r2v7: The The Plus Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5
The The Plus Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.4.1 via the Team Member Listing widget. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Microsoft
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
vendor_msrc·2024-02-13·CVSS 8.3
CVE-2024-21399 [HIGH] CWE-416 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
FAQ:
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
121.0.2277.98
2/1/2024
121.0.6167.139/140
Extended Stable
120.0.2210.167
2/1/2024
120.0.6099.276
FAQ: According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?
This vulnerability could lead to a browser sandbox escape.
FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?
In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit
Microsoft
Chromium: CVE-2024-1060 Use after free in Canvas
vendor_msrc·2024-02-13·CVSS 8.8
CVE-2024-1060 [HIGH] Chromium: CVE-2024-1060 Use after free in Canvas
Chromium: CVE-2024-1060 Use after free in Canvas
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ:
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
121.0.2277.98
2/1/2024
121.0.6167.139/140
Extended Stable
120.0.2210.167
2/1/2024
120.0.6099.276
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can
Microsoft
Chromium: CVE-2024-1059 Use after free in WebRTC
vendor_msrc·2024-02-13·CVSS 8.8
CVE-2024-1059 [HIGH] Chromium: CVE-2024-1059 Use after free in WebRTC
Chromium: CVE-2024-1059 Use after free in WebRTC
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ:
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
121.0.2277.98
2/1/2024
121.0.6167.139/140
Extended Stable
120.0.2210.167
2/1/2024
120.0.6099.276
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can
Microsoft
Chromium: CVE-2024-1077 Use after free in Network
vendor_msrc·2024-02-13·CVSS 8.8
CVE-2024-1077 [HIGH] Chromium: CVE-2024-1077 Use after free in Network
Chromium: CVE-2024-1077 Use after free in Network
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ:
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
121.0.2277.98
2/1/2024
121.0.6167.139/140
Extended Stable
120.0.2210.167
2/1/2024
120.0.6099.276
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can
Microsoft
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
vendor_msrc·2024-01-09·CVSS 8.3
CVE-2024-21385 [HIGH] CWE-416 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
FAQ: What is the version information for this release?
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
121.0.2277.83
1/25/2024
121.0.6167.85/.86
Extended Stable
120.0.2210.160
1/25/2024
120.0.6099.268
FAQ: Why is the severity for this CVE rated as Moderate, but the CVSS score is higher than normal?
Per our severity guidelines, the amount of user interaction or preconditions required to allow this sort of exploitation downgraded the severity, specifically it says, "If a bug requires more than a click, a key press, or several preconditions, the severity will be downgraded". The CVSS scoring system doesn't allow for this type of nuance.
FAQ: According to the CVSS metric,
Microsoft
Adobe Systems Incorporated: CVE-2024-20721 Improper Input Validation Denial of Service Vulnerability
vendor_msrc·2024-01-09·CVSS 5.5
CVE-2024-20721 [MEDIUM] Adobe Systems Incorporated: CVE-2024-20721 Improper Input Validation Denial of Service Vulnerability
Adobe Systems Incorporated: CVE-2024-20721 Improper Input Validation Denial of Service Vulnerability
FAQ: What is the version information for this release?
Microsoft Edge Channel
Microsoft Edge Version
Based on Chromium Version
Date Released
Stable
120.0.2210.133
120.0.6099.216/217
1/11/2024
FAQ: Why is this Adobe CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Adobe Software which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the browser?
In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
Click on Help and Feedback
Cl
Microsoft
Microsoft Edge (Chromium-based) Spoofing Vulnerability
vendor_msrc·2024-01-09·CVSS 2.5
CVE-2024-21336 [LOW] CWE-357 Microsoft Edge (Chromium-based) Spoofing Vulnerability
Microsoft Edge (Chromium-based) Spoofing Vulnerability
FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?
Exploitation of the vulnerability requires the victim to open the vulnerable app.
FAQ: According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability?
An attacker who successfully exploited this vulnerability could cover and spoof elements of the UI. The modified information is only visual.
FAQ: What is the version information for this release?
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
121.0.2277.83
1/25/2024
121.0.6167.85/.86
Extended Stable
120.0.2210.160
1/25/20
Microsoft
Microsoft Edge for Android Spoofing Vulnerability
vendor_msrc·2024-01-09·CVSS 5.3
CVE-2024-21387 [MEDIUM] CWE-357 Microsoft Edge for Android Spoofing Vulnerability
Microsoft Edge for Android Spoofing Vulnerability
FAQ: What is the version information for this release?
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
121.0.2277.83
1/25/2024
121.0.6167.85/.86
Extended Stable
120.0.2210.160
1/25/2024
120.0.6099.268
FAQ: According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability?
An attacker who successfully exploited this vulnerability could cover and spoof elements of the UI. The modified information is only visual.
Microsoft Edge for Android: Microsoft Edge for Android
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Spoofing
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest
Microsoft
Microsoft Edge (Chromium-based) Spoofing Vulnerability
vendor_msrc·2024-01-09·CVSS 3.3
CVE-2024-21383 [LOW] CWE-347 Microsoft Edge (Chromium-based) Spoofing Vulnerability
Microsoft Edge (Chromium-based) Spoofing Vulnerability
FAQ: What is the version information for this release?
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
121.0.2277.83
1/25/2024
121.0.6167.85/.86
Extended Stable
120.0.2210.160
1/25/2024
120.0.6099.268
FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?
An attacker must send the user a malicious file and convince them to open it.
FAQ: According to the CVSS metrics, successful exploitation of this vulnerability could lead to no loss of confidentiality (C:N), some loss of integrity (I:L) but have no effect on availability (A:N). How could an attacker impact the PDF File Signature?
An attacker could spoof the PDF signature
Microsoft
Adobe Systems Incorporated: CVE-2024-20709 Javascript Implementation PDF Vulnerability
vendor_msrc·2024-01-09·CVSS 5.5
CVE-2024-20709 [MEDIUM] Adobe Systems Incorporated: CVE-2024-20709 Javascript Implementation PDF Vulnerability
Adobe Systems Incorporated: CVE-2024-20709 Javascript Implementation PDF Vulnerability
Description: This CVE was assigned by Adobe Systems Incorporated. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ: What is the version information for this release?
Microsoft Edge Channel
Microsoft Edge Version
Based on Chromium Version
Date Released
Stable
120.0.2210.133
120.0.6099.216/217
1/11/2024
FAQ: Why is this Adobe CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Adobe Software which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is
Microsoft
Microsoft Edge for Android Information Disclosure Vulnerability
vendor_msrc·2024-01-09·CVSS 4.3
CVE-2024-21382 [MEDIUM] CWE-942 Microsoft Edge for Android Information Disclosure Vulnerability
Microsoft Edge for Android Information Disclosure Vulnerability
FAQ: According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability?
Exploitation of this vulnerability only discloses limited information, no sensitive information can be obtained.
FAQ: What is the version information for this release?
Microsoft Edge Channel
Microsoft Edge Version
Date Released
Based on Chromium Version
Stable
121.0.2277.83
1/25/2024
121.0.6167.85/.86
Extended Stable
120.0.2210.160
1/25/2024
120.0.6099.268
FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?
In a web-based attack scenario, an attacker could host a website (or leverag
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/changeset/3056776/the-plus-addons-for-elementor-page-builderhttps://www.wordfence.com/threat-intel/vulnerabilities/id/30579058-54f4-4496-9275-078faf99823f?source=cvehttps://plugins.trac.wordpress.org/changeset/3056776/the-plus-addons-for-elementor-page-builderhttps://www.wordfence.com/threat-intel/vulnerabilities/id/30579058-54f4-4496-9275-078faf99823f?source=cve
2024-03-27
Published