CVE-2024-11952

Name of the Vulnerable Software and Affected Versions Classic Addons – WPBakery Page Builder plugin for WordPress versions up to, and including, 3.0

Description The issue allows authenticated attackers with Contributor-level access and above, and permissions granted by an Administrator, to include and execute arbitrary PHP files on the server via the style parameter. This enables the execution of any PHP code in those files, which can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. The issue is limited to PHP files in a Windows environment.

Recommendations For Classic Addons – WPBakery Page Builder plugin for WordPress versions up to, and including, 3.0, consider disabling the style parameter to prevent the inclusion and execution of arbitrary PHP files until a patch is available. Restrict access to the plugin's functionality to minimize the risk of exploitation, especially for users with Contributor-level access and above.