CVE-2024-37255 – This CVE describes a missing authorization vuln... (How to Fix)

Q: What is the severity of CVE-2024-37255?

CVE-2024-37255 has a CVSS score of 5.3 (MEDIUM). This CVE describes a missing authorization vulnerability in the Wpmet Elements Kit Elementor addons plugin for WordPress. It allows unauthenticated attackers to access functionality that should be restricted by access controls. This affects all WordPress sites using Elements Kit Elementor addons versions up to 3.1.4.

📋 TL;DR

This CVE describes a missing authorization vulnerability in the Wpmet Elements Kit Elementor addons plugin for WordPress. It allows unauthenticated attackers to access functionality that should be restricted by access controls. This affects all WordPress sites using Elements Kit Elementor addons versions up to 3.1.4.

💻 Affected Systems

Products:

Wpmet Elements Kit Elementor addons

Versions: n/a through 3.1.4

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects WordPress installations with the vulnerable plugin enabled. No special configuration required.

📦 What is this software?

Elements Kit Elementor Addons by Wpmet

View all CVEs affecting Elements Kit Elementor Addons →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify site content, inject malicious code, or access administrative functions without authentication, potentially leading to complete site compromise.

🟠

Likely Case

Unauthenticated attackers can access restricted functionality, potentially modifying content, creating backdoors, or extracting sensitive information.

🟢

If Mitigated

With proper network segmentation and web application firewalls, impact is limited to the specific WordPress instance.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability allows unauthenticated access to restricted endpoints, making exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.5 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/elementskit-lite/wordpress-elementskit-lite-plugin-3-1-4-unauthenticated-broken-access-control-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find 'Elements Kit Elementor addons'. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.1.5+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the Elements Kit Elementor addons plugin until patched

wp plugin deactivate elementskit-lite

Web Application Firewall rule

all

Block access to vulnerable plugin endpoints

Add WAF rule to block requests to /wp-content/plugins/elementskit-lite/* for unauthenticated users

🧯 If You Can't Patch

Implement strict network segmentation to isolate WordPress instance
Deploy web application firewall with rules blocking unauthenticated access to plugin endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Elements Kit Elementor addons version. If version is 3.1.4 or earlier, system is vulnerable.

Check Version:

wp plugin get elementskit-lite --field=version

Verify Fix Applied:

Verify plugin version is 3.1.5 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated requests to /wp-content/plugins/elementskit-lite/* endpoints
Multiple 200/403 responses to plugin paths from unauthenticated users

Network Indicators:

Unusual POST/GET requests to plugin endpoints without authentication headers
Traffic patterns showing access to admin functions from non-admin IPs

SIEM Query:

source="wordpress.log" AND (uri="/wp-content/plugins/elementskit-lite/*" AND NOT (user!="-" OR user_agent contains "wp-admin"))

📊 Metadata

CVE ID: CVE-2024-37255

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

Published: November 1, 2024

Last Updated: April 11, 2025

🔗 References

https://patchstack.com/database/vulnerability/elementskit-lite/wordpress-elementskit-lite-plugin-3-1-4-unauthenticated-broken-access-control-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37255, you might also want to check these: