CVE-2024-38772 - Vulnerability Details - OpenCVE

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Crocoblock JetWidgets for Elementor and WooCommerce allows PHP Local File Inclusion.This issue affects JetWidgets for Elementor and WooCommerce: from n/a through 1.1.7.

Published: 2024-08-01

Score: 6.5 Medium

EPSS: 1.6% Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Crocoblock

JetWidgets for Elementor and WooCommerce

unaffected

Version	Status	Constraints
`n/a`	affected	≤ 1.1.7

No data.

No data.

No data available yet.

Remediation

Vendor Solution

Update to 1.1.8 or a higher version.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-37612	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Crocoblock JetWidgets for Elementor and WooCommerce allows PHP Local File Inclusion.This issue affects JetWidgets for Elementor and WooCommerce: from n/a through 1.1.7.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01627.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/vulnerability/jetwoo-widgets-for-elementor/wordpress-jetwidgets-for-elementor-and-woocommerce-plugin-1-1-7-contributor-limited-local-file-inclusion-vulnerability?_s_id=cve

History

No history.

Subscriptions

Crocoblock Jetwidgets For Elementor

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2024-08-01T20:49:54.842Z

Updated: 2024-08-01T21:02:25.756Z

Reserved: 2024-06-19T12:34:40.590Z

Link: CVE-2024-38772

Vulnrichment

Updated: 2024-08-01T21:02:21.602Z

NVD

Status : Awaiting Analysis

Published: 2024-08-01T21:15:28.120

Modified: 2024-08-02T12:59:43.990

Link: CVE-2024-38772

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-22

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-38772", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2024-06-19T12:34:40.590Z", "datePublished": "2024-08-01T20:49:54.842Z", "dateUpdated": "2024-08-01T21:02:25.756Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "jetwoo-widgets-for-elementor", "product": "JetWidgets for Elementor and WooCommerce", "vendor": "Crocoblock", "versions": [{"changes": [{"at": "1.1.8", "status": "unaffected"}], "lessThanOrEqual": "1.1.7", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Jo\u00e3o Pedro Soares de Alc\u00e2ntara - Kinorth (Patchstack Alliance)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Crocoblock JetWidgets for Elementor and WooCommerce allows PHP Local File Inclusion.<p>This issue affects JetWidgets for Elementor and WooCommerce: from n/a through 1.1.7.</p>"}], "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Crocoblock JetWidgets for Elementor and WooCommerce allows PHP Local File Inclusion.This issue affects JetWidgets for Elementor and WooCommerce: from n/a through 1.1.7."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "CAPEC-252 PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2024-08-01T20:49:54.842Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/vulnerability/jetwoo-widgets-for-elementor/wordpress-jetwidgets-for-elementor-and-woocommerce-plugin-1-1-7-contributor-limited-local-file-inclusion-vulnerability?_s_id=cve"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to 1.1.8 or a higher version."}], "value": "Update to 1.1.8 or a higher version."}], "source": {"discovery": "EXTERNAL"}, "title": "WordPress JetWidgets for Elementor and WooCommerce plugin <= 1.1.7 - Contributor+ Limited Local File Inclusion vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "crocoblock", "product": "jetwidgets_for_elementor", "cpes": ["cpe:2.3:a:crocoblock:jetwidgets_for_elementor:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.7", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-01T20:59:44.720950Z", "id": "CVE-2024-38772", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-01T21:02:25.756Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-38772", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-01T20:59:44.720950Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:crocoblock:jetwidgets_for_elementor:*:*:*:*:*:*:*:*"], "vendor": "crocoblock", "product": "jetwidgets_for_elementor", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.1.7"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-01T21:02:21.602Z"}}], "cna": {"title": "WordPress JetWidgets for Elementor and WooCommerce plugin <= 1.1.7 - Contributor+ Limited Local File Inclusion vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Jo\u00e3o Pedro Soares de Alc\u00e2ntara - Kinorth (Patchstack Alliance)"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "CAPEC-252 PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Crocoblock", "product": "JetWidgets for Elementor and WooCommerce", "versions": [{"status": "affected", "changes": [{"at": "1.1.8", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "1.1.7"}], "packageName": "jetwoo-widgets-for-elementor", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update to 1.1.8 or a higher version.", "supportingMedia": [{"type": "text/html", "value": "Update to 1.1.8 or a higher version.", "base64": false}]}], "references": [{"url": "https://patchstack.com/database/vulnerability/jetwoo-widgets-for-elementor/wordpress-jetwidgets-for-elementor-and-woocommerce-plugin-1-1-7-contributor-limited-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Crocoblock JetWidgets for Elementor and WooCommerce allows PHP Local File Inclusion.This issue affects JetWidgets for Elementor and WooCommerce: from n/a through 1.1.7.", "supportingMedia": [{"type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Crocoblock JetWidgets for Elementor and WooCommerce allows PHP Local File Inclusion.<p>This issue affects JetWidgets for Elementor and WooCommerce: from n/a through 1.1.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2024-08-01T20:49:54.842Z"}}}, "cveMetadata": {"cveId": "CVE-2024-38772", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:02:25.756Z", "dateReserved": "2024-06-19T12:34:40.590Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2024-08-01T20:49:54.842Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.1"}