CVE-2024-12272
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to perform Local File Inclusion attacks through the WP Travel Engine Elementor Widgets plugin. Attackers can include and execute arbitrary PHP files on the server, potentially leading to remote code execution, data theft, or privilege escalation. All WordPress sites using this plugin up to version 1.3.7 are affected.
💻 Affected Systems
- WP Travel Engine - Elementor Widgets WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via remote code execution, data exfiltration, backdoor installation, and complete site takeover.
Likely Case
Unauthorized file access, sensitive data leakage, privilege escalation to administrator, and potential malware injection.
If Mitigated
Limited impact if file uploads are restricted and proper access controls prevent file inclusion exploitation.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. The vulnerability is in multiple widgets within the plugin.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.8
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WP Travel Engine - Elementor Widgets'. 4. Click 'Update Now' if available, or download version 1.3.8+ from WordPress repository. 5. Activate the updated plugin.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patching is possible
wp plugin deactivate wte-elementor-widgets
Restrict User Roles
allRemove Contributor and higher roles from untrusted users
🧯 If You Can't Patch
- Disable the WP Travel Engine Elementor Widgets plugin immediately
- Implement strict file upload restrictions and disable PHP execution in upload directories
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'WP Travel Engine - Elementor Widgets' version 1.3.7 or lowerCheck Version:
wp plugin get wte-elementor-widgets --field=versionVerify Fix Applied:
Verify plugin version is 1.3.8 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual file inclusion requests in web server logs
- PHP execution attempts from unexpected file paths
- Multiple failed authentication attempts followed by successful Contributor login
Network Indicators:
- HTTP requests containing file inclusion parameters to plugin endpoints
- Unusual outbound connections from web server after file inclusion
SIEM Query:
source="web_server_logs" AND (uri="*wte-elementor-widgets*" AND (param="*file*" OR param="*include*"))