CVE-2024-13592
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to perform Local File Inclusion attacks via the 'team-builder-vc' shortcode. Attackers can include and execute arbitrary PHP files on the server, potentially leading to remote code execution, data theft, or privilege escalation. All WordPress sites using the Team Builder For WPBakery Page Builder plugin version 1.0 or earlier are affected.
💻 Affected Systems
- Team Builder For WPBakery Page Builder (formerly Visual Composer) WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via remote code execution, leading to data exfiltration, ransomware deployment, or complete site takeover.
Likely Case
Unauthorized file access leading to sensitive data exposure, privilege escalation to administrator, or backdoor installation.
If Mitigated
Limited impact if proper file upload restrictions and server hardening are in place, but still potential for information disclosure.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of the vulnerable shortcode. Attackers may need to upload malicious files first if they don't have access to existing PHP files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.0 (check WordPress plugin repository for latest)
Vendor Advisory: https://plugins.trac.wordpress.org/browser/team-builder-for-wpbakery-page-builder
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Team Builder For WPBakery Page Builder'. 4. Click 'Update Now' if available, or delete and reinstall latest version. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Disable vulnerable shortcode
WordPressRemove or disable the 'team-builder-vc' shortcode functionality
Add to theme's functions.php: remove_shortcode('team-builder-vc');
Restrict file inclusion
WordPressImplement input validation to prevent directory traversal in shortcode parameters
🧯 If You Can't Patch
- Remove the plugin entirely and use alternative team builder solutions
- Implement strict file upload restrictions and disable PHP execution in upload directories
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Team Builder For WPBakery Page Builder' version 1.0 or earlierCheck Version:
wp plugin list --name='team-builder-for-wpbakery-page-builder' --field=versionVerify Fix Applied:
Verify plugin version is greater than 1.0 and test shortcode functionality with safe parameters📡 Detection & Monitoring
Log Indicators:
- Unusual shortcode usage patterns
- Multiple failed file inclusion attempts
- Unexpected PHP file accesses from web directories
Network Indicators:
- HTTP requests containing 'team-builder-vc' shortcode with file path parameters
- Unusual file uploads followed by shortcode activation
SIEM Query:
web_access_logs WHERE uri CONTAINS 'team-builder-vc' AND (params CONTAINS '../' OR params CONTAINS 'php')