CVE-2024-49676
📋 TL;DR
This vulnerability allows attackers to upload arbitrary files, including web shells, to WordPress servers running the vulnerable Custom Icons for Elementor plugin. Attackers can gain remote code execution and potentially take over affected websites. All WordPress sites using this plugin version 0.3.3 or earlier are affected.
💻 Affected Systems
- Custom Icons for Elementor WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, defacement, malware distribution, and lateral movement to other systems.
Likely Case
Website takeover, backdoor installation, credential theft, and unauthorized content modification.
If Mitigated
Limited impact if file uploads are restricted at web server level or if plugin is disabled.
🎯 Exploit Status
Exploitation requires authenticated access to WordPress admin or contributor roles. Public exploit code exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.3.4 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins > Installed Plugins. 3. Find 'Custom Icons for Elementor'. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 0.3.4+ from WordPress repository.
🔧 Temporary Workarounds
Disable plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate custom-icons-for-elementor
Restrict upload directory permissions
linuxSet upload directory to read-only for web server user
chmod -R 755 /wp-content/uploads/custom-icons/
chown -R root:root /wp-content/uploads/custom-icons/
🧯 If You Can't Patch
- Disable the Custom Icons for Elementor plugin immediately
- Implement web application firewall rules to block file uploads to the affected endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Custom Icons for Elementor version. If version is 0.3.3 or earlier, you are vulnerable.Check Version:
wp plugin get custom-icons-for-elementor --field=versionVerify Fix Applied:
Verify plugin version is 0.3.4 or later in WordPress admin panel. Test file upload functionality with malicious file extensions.📡 Detection & Monitoring
Log Indicators:
- File uploads to /wp-content/uploads/custom-icons/ with .php, .phtml, .php5 extensions
- Unauthorized admin or contributor login attempts followed by file uploads
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with file upload parameters
- Unusual outbound connections from web server
SIEM Query:
source="wordpress.log" AND ("admin-ajax.php" AND "action=upload_custom_icon") AND ("\.php" OR "\.phtml" OR "\.php5")