CVE-2024-37547 – This CVE describes a path traversal vulnerabili... (How to Fix)

Q: What is the severity of CVE-2024-37547?

CVE-2024-37547 has a CVSS score of 6.5 (MEDIUM). This CVE describes a path traversal vulnerability in the Livemesh Addons for Elementor WordPress plugin. It allows attackers to read arbitrary files on the server by manipulating file paths. All WordPress sites using affected versions of this plugin are vulnerable.

📋 TL;DR

This CVE describes a path traversal vulnerability in the Livemesh Addons for Elementor WordPress plugin. It allows attackers to read arbitrary files on the server by manipulating file paths. All WordPress sites using affected versions of this plugin are vulnerable.

💻 Affected Systems

Products:

Livemesh Addons for Elementor WordPress Plugin

Versions: All versions up to and including 8.4.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin activated. No special configuration needed.

📦 What is this software?

Elementor Addons by Livemesh

View all CVEs affecting Elementor Addons →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through reading sensitive files like wp-config.php (containing database credentials), followed by database takeover and potential remote code execution.

🟠

Likely Case

Unauthorized access to sensitive configuration files, potentially exposing database credentials, API keys, and other secrets stored in readable files.

🟢

If Mitigated

Limited file access restricted to web-accessible directories only, preventing access to critical system files.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Path traversal vulnerabilities are typically easy to exploit with publicly available tools. The Patchstack references confirm exploitation details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.4.1 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/addons-for-elementor/wordpress-elementor-addons-by-livemesh-plugin-8-3-7-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Livemesh Addons for Elementor'. 4. Click 'Update Now' if update available. 5. Alternatively, download version 8.4.1+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate addons-for-elementor

Web Application Firewall Rule

all

Block path traversal patterns at WAF level

Block requests containing '../', '..\', or similar directory traversal sequences

🧯 If You Can't Patch

Implement strict file permission controls on sensitive directories
Deploy web application firewall with path traversal detection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'Livemesh Addons for Elementor' version ≤8.4.0

Check Version:

wp plugin get addons-for-elementor --field=version

Verify Fix Applied:

Confirm plugin version is 8.4.1 or higher in WordPress plugins list

📡 Detection & Monitoring

Log Indicators:

HTTP requests with '../' sequences in URL parameters
Access to unusual file paths in web logs
Failed attempts to access sensitive files like wp-config.php

Network Indicators:

Unusual file read patterns from single IP
Requests for known sensitive file paths

SIEM Query:

web_access_logs WHERE url CONTAINS '../' OR url CONTAINS '..\' OR url CONTAINS 'wp-config'

📊 Metadata

CVE ID: CVE-2024-37547

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: July 6, 2024

Last Updated: April 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37547, you might also want to check these: