Login Sign Up

CVE-2024-5709

8.8 HIGH
Remote Code Execution

📋 TL;DR

The WPBakery Visual Composer plugin for WordPress has a Local File Inclusion vulnerability that allows authenticated attackers with Author-level permissions to include and execute arbitrary PHP files on the server. This can lead to remote code execution, data theft, and privilege escalation. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:
  • WPBakery Visual Composer WordPress Plugin
Versions: All versions up to and including 7.7
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user with Author-level permissions or higher, and post permissions granted by Administrator.

📦 What is this software?

Page Builder by Wpbakery

View all CVEs affecting Page Builder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data exfiltration, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Unauthorized code execution leading to website defacement, credential theft, or installation of malware.

🟢

If Mitigated

Limited impact if proper file upload restrictions and server hardening are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.8 or later

Vendor Advisory: https://wpbakery.com/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WPBakery Visual Composer. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from wpbakery.com and manually update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable WPBakery Visual Composer plugin until patched.

wp plugin deactivate js_composer

Restrict File Uploads

linux

Configure web server to block PHP file execution in upload directories.

Add 'php_flag engine off' to .htaccess in upload directories

🧯 If You Can't Patch

  • Remove Author-level user accounts or restrict their post permissions
  • Implement web application firewall rules to block requests containing 'layout_name' parameter manipulation

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is 7.7 or lower, you are vulnerable.

Check Version:

wp plugin get js_composer --field=version

Verify Fix Applied:

Verify plugin version is 7.8 or higher after update.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file inclusion attempts in web server logs
  • POST requests to wp-admin/admin-ajax.php with layout_name parameter containing path traversal sequences

Network Indicators:

  • HTTP requests with suspicious layout_name parameter values
  • Unexpected PHP file execution from upload directories

SIEM Query:

source="web_server_logs" AND (layout_name CONTAINS "../" OR layout_name CONTAINS "/etc/" OR layout_name CONTAINS "/proc/")

📊 Metadata

CVE ID: CVE-2024-5709
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: August 6, 2024
Last Updated: May 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5709, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)