Login Sign Up

CVE-2024-43140

7.5 HIGH
Path Traversal

📋 TL;DR

This path traversal vulnerability in the Ultimate Bootstrap Elements for Elementor WordPress plugin allows attackers to include local PHP files through improper path validation. Attackers can potentially read sensitive files or execute arbitrary code. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:
  • Ultimate Bootstrap Elements for Elementor WordPress Plugin
Versions: n/a through 1.4.4
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress with the vulnerable plugin installed and activated.

📦 What is this software?

Ultimate Bootstrap Elements For Elementor by G5plus

View all CVEs affecting Ultimate Bootstrap Elements For Elementor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and website defacement.

🟠

Likely Case

Sensitive file disclosure (configuration files, database credentials) and limited file system access.

🟢

If Mitigated

Limited impact with proper file permissions and web server restrictions in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Path traversal vulnerabilities are commonly exploited and weaponized quickly.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.5 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/ultimate-bootstrap-elements-for-elementor/wordpress-ultimate-bootstrap-elements-for-elementor-plugin-1-4-4-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Ultimate Bootstrap Elements for Elementor'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.4.5+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate ultimate-bootstrap-elements-for-elementor

Web Server Restrictions

all

Add web server rules to block traversal attempts.

# Apache: RewriteRule ^.*\.\./.*$ - [F,L]
# Nginx: location ~ \.\./ { deny all; }

🧯 If You Can't Patch

  • Remove the plugin entirely if not essential.
  • Implement WAF rules to block path traversal patterns.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Ultimate Bootstrap Elements for Elementor version.

Check Version:

wp plugin get ultimate-bootstrap-elements-for-elementor --field=version

Verify Fix Applied:

Confirm plugin version is 1.4.5 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing '../' patterns to plugin files
  • Unusual file access attempts in web server logs

Network Indicators:

  • HTTP requests with path traversal sequences to /wp-content/plugins/ultimate-bootstrap-elements-for-elementor/

SIEM Query:

web.url:*../* AND web.url:*ultimate-bootstrap-elements-for-elementor*

📊 Metadata

CVE ID: CVE-2024-43140
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: August 13, 2024
Last Updated: August 29, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-43140, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)