CVE-2024-49243
📋 TL;DR
This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress sites using the Dynamic Elementor Addons plugin, potentially leading to sensitive information disclosure or code execution. All users of the plugin version 1.0.0 and earlier are affected.
💻 Affected Systems
- Dynamic Elementor Addons WordPress Plugin
📦 What is this software?
Dynamic Elementor Addons by Jonvincentmendoza
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through local file inclusion leading to remote code execution, sensitive file disclosure (including configuration files with database credentials), and complete site takeover.
Likely Case
Sensitive information disclosure (configuration files, source code), limited file reading capabilities, and potential privilege escalation through file manipulation.
If Mitigated
Limited impact if proper file permissions are set, web server runs with minimal privileges, and sensitive files are stored outside web root.
🎯 Exploit Status
Simple HTTP requests can trigger the vulnerability. Public proof-of-concept exists on security research sites.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Restart Required: No
Instructions:
1. Deactivate and delete the Dynamic Elementor Addons plugin. 2. Remove all plugin files from wp-content/plugins/dynamic-elementor-addons/. 3. Consider alternative Elementor addon plugins with security updates.
🔧 Temporary Workarounds
Disable Plugin
allImmediately deactivate the vulnerable plugin to prevent exploitation
wp plugin deactivate dynamic-elementor-addons
Web Application Firewall Rule
allBlock requests containing local file inclusion patterns targeting the plugin
Add WAF rule: Block requests with 'dynamic-elementor-addons' in URL and file path patterns like '../../' or 'php://'
🧯 If You Can't Patch
- Implement strict file permissions (644 for files, 755 for directories) and run web server with minimal privileges
- Deploy web application firewall with rules to detect and block local file inclusion attempts
🔍 How to Verify
Check if Vulnerable:
Check if wp-content/plugins/dynamic-elementor-addons/ directory exists and contains version 1.0.0 or earlier filesCheck Version:
wp plugin list | grep dynamic-elementor-addonsVerify Fix Applied:
Confirm dynamic-elementor-addons directory is completely removed from wp-content/plugins/📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing 'dynamic-elementor-addons' with file path traversal patterns (../../, /etc/passwd, etc.)
- PHP warnings about failed file inclusions from the plugin directory
Network Indicators:
- HTTP GET/POST requests to plugin endpoints with file path parameters
- Unusual file access patterns from web server process
SIEM Query:
source="web_logs" AND (uri="*dynamic-elementor-addons*" AND (uri="*../*" OR uri="*/etc/*" OR uri="*php://*"))