cbcvebase.
CVE-2024-9935
published 2024-11-16

CVE-2024-9935: The PDF Generator Addon for Elementor Page Builder plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.0.0 via the…

PriorityP262high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
7.49%
93.7th percentile
The PDF Generator Addon for Elementor Page Builder plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.0.0 via the rtw_pgaepb_dwnld_pdf() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. CVE-2025-24569 may be a duplicate of this issue.

Affected

1 ranges
VendorProductVersion rangeFixed in
redefiningthewebpdf_generator_for_wordpress_elementor<= 2.0.0

Detection & IOCsextracted from sources · hover to see the quote

url/elementor-84/?rtw_generate_pdf=true&rtw_pdf_file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
path/wp-content/plugins/pdf-generator-addon-for-elementor-page-builder/
pathpublic/class-pdf-generator-addon-for-elementor-page-builder-public.php
yara
rule CVE_2024_9935_path_traversal { strings: $param1 = "rtw_generate_pdf=true" $param2 = "rtw_pdf_file=" $traversal = "..%2f" condition: $param1 and $param2 and $traversal }
  • Detect exploitation attempts by monitoring HTTP requests containing both 'rtw_generate_pdf=true' and 'rtw_pdf_file=' query parameters, especially with path traversal sequences (../ or URL-encoded variants like ..%2f).
  • Responses to exploit attempts will have Content-Type 'application/pdf' and HTTP 200 status, while the body contains the contents of the traversed file (e.g., matching 'root:.*:0:0:' for /etc/passwd).
  • Fingerprint vulnerable WordPress installations by checking page bodies for the plugin path string 'wp-content/plugins/pdf-generator-addon-for-elementor-page-builder'.
  • The vulnerable function is rtw_pgaepb_dwnld_pdf() at line 133 of the plugin's public class file; no authentication is required to trigger it.
  • ·The NVD entry lists the vulnerable version range as up to and including 2.0.0, while the Nuclei template and Wordfence advisory reference 1.7.5 as the upper bound. Detection rules should account for both version ranges.
  • ·CVE-2025-24569 may be a duplicate of this issue; correlate alerts from both CVEs to avoid double-counting incidents.
  • ·The Nuclei template uses a two-step flow: first confirming plugin presence on the target, then sending the traversal payload. Single-request detections may miss the prerequisite fingerprinting step.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.