CVE-2024-7145 – The JetElements WordPress plugin contains a Loc... (How to Fix)

📋 TL;DR

The JetElements WordPress plugin contains a Local File Inclusion vulnerability that allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary PHP files on the server. This can lead to remote code execution, data theft, and privilege escalation. All WordPress sites using JetElements version 2.6.20 or earlier are affected.

💻 Affected Systems

Products:

JetElements for WordPress

Versions: All versions up to and including 2.6.20

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with Contributor role or higher; affects all WordPress installations with vulnerable plugin versions

📦 What is this software?

Jetelements by Crocoblock

View all CVEs affecting Jetelements →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data exfiltration, ransomware deployment, or persistent backdoor installation

🟠

Likely Case

Unauthorized code execution leading to website defacement, credential theft, or installation of web shells

🟢

If Mitigated

Limited impact if proper file upload restrictions and server hardening are in place

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once credentials are obtained

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.21 or later

Vendor Advisory: https://crocoblock.com/plugins/jetelements/

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find JetElements and click 'Update Now'
4. Verify version is 2.6.21 or higher

🔧 Temporary Workarounds

Disable JetElements Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate jetelements

Restrict File Uploads

linux

Block PHP file uploads via web server configuration

<FilesMatch "\.php$">
    Deny from all
</FilesMatch>

🧯 If You Can't Patch

Implement strict file upload validation to block PHP files
Apply principle of least privilege by reducing Contributor role permissions

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → JetElements version number

Check Version:

wp plugin get jetelements --field=version

Verify Fix Applied:

Confirm JetElements version is 2.6.21 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual file inclusion attempts in web server logs
POST requests to /wp-admin/admin-ajax.php with progress_type parameter

Network Indicators:

HTTP requests with file path traversal in parameters
Unexpected PHP file execution from upload directories

SIEM Query:

source="web_server" AND (uri_path="*admin-ajax.php*" AND query="*progress_type=*" AND NOT query="*progress_type=circle*")

📊 Metadata

CVE ID: CVE-2024-7145

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: August 16, 2024

Last Updated: September 13, 2024

🔗 References

https://crocoblock.com/plugins/jetelements/ Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/793f27ec-a3bb-4273-a41c-cc5b04c8e8fc?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7145, you might also want to check these: