CVE-2024-5153
📋 TL;DR
The Startklar Elementor Addons WordPress plugin contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files and delete directories on the server. This affects all WordPress sites using this plugin up to version 1.7.15. Attackers can potentially access sensitive configuration files, database credentials, and delete critical WordPress directories.
💻 Affected Systems
- Startklar Elementor Addons WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise via sensitive file disclosure (wp-config.php with database credentials) followed by deletion of the entire WordPress installation directory, causing permanent data loss and site destruction.
Likely Case
Unauthenticated attackers exfiltrate sensitive configuration files containing database credentials, leading to database compromise and potential site takeover.
If Mitigated
Limited impact if proper file permissions restrict access to sensitive files and regular backups exist, though directory deletion could still cause service disruption.
🎯 Exploit Status
Exploitation requires sending specially crafted requests to the vulnerable endpoint with directory traversal sequences in the 'dropzone_hash' parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.16 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/startklar-elmentor-forms-extwidgets
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Startklar Elementor Addons'. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete the plugin immediately.
🔧 Temporary Workarounds
Disable Plugin
allDeactivate the vulnerable plugin to prevent exploitation
wp plugin deactivate startklar-elmentor-forms-extwidgets
Web Application Firewall Rule
linuxBlock requests containing directory traversal sequences in the dropzone_hash parameter
ModSecurity rule: SecRule ARGS:dropzone_hash "\.\./" "id:1001,phase:2,deny,status:403,msg:'Directory Traversal Attempt'
🧯 If You Can't Patch
- Deactivate the Startklar Elementor Addons plugin immediately
- Implement strict file permissions (chmod 600 for sensitive files like wp-config.php)
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for 'Startklar Elementor Addons' version 1.7.15 or earlierCheck Version:
wp plugin list --name=startklar-elmentor-forms-extwidgets --field=versionVerify Fix Applied:
Verify plugin version is 1.7.16 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /wp-content/plugins/startklar-elmentor-forms-extwidgets/widgets/dropzone_form_field.php with 'dropzone_hash' parameter containing '../' sequences
- Unusual file read operations in web server logs
- Directory deletion attempts
Network Indicators:
- POST requests to vulnerable endpoint with traversal payloads
- Unusual outbound traffic containing file contents
SIEM Query:
source="web_server_logs" AND uri="*dropzone_form_field.php*" AND (query="*../*" OR post_data="*../*")🔗 References
- https://plugins.trac.wordpress.org/browser/startklar-elmentor-forms-extwidgets/trunk/widgets/dropzone_form_field.php#L334
- https://www.wordfence.com/threat-intel/vulnerabilities/id/baa20290-9c01-4f8d-adeb-fbfb15b9d6a9?source=cve
- https://plugins.trac.wordpress.org/browser/startklar-elmentor-forms-extwidgets/trunk/widgets/dropzone_form_field.php#L334
- https://www.wordfence.com/threat-intel/vulnerabilities/id/baa20290-9c01-4f8d-adeb-fbfb15b9d6a9?source=cve
