PT-2024-30584 · WordPress · Startklar Elementor Addons

István Márton

Published

2024-05-07

Updated

2025-03-31

CVE-2024-4345

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Startklar Elementor Addons plugin for WordPress versions up to, and including, 1.7.13

Description The issue is related to arbitrary file uploads due to insufficient file type validation in the process function in the startklarDropZoneUploadProcess class. This allows unauthenticated attackers to upload arbitrary files on the affected site's server, which may make remote code execution possible.

Recommendations For versions up to, and including, 1.7.13, update to a version later than 1.7.13 to resolve the issue. As a temporary workaround, consider disabling the process function in the startklarDropZoneUploadProcess class until a patch is available. Restrict access to the startklarDropZoneUploadProcess class to minimize the risk of exploitation.

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2024-4345

Affected Products

Startklar Elementor Addons

PT-2024-30584 · WordPress · Startklar Elementor Addons

CVE-2024-4345

Weakness Enumeration

Related Identifiers

Affected Products

References · 10