WordPress Plugin Vulnerabilities

Element Pack Pro < 7.19.3 - Contributor+ Arbitrary File Read and PHAR Deserialization

Description

The plugin is vulnerable to Directory Traversal. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

Affects Plugins

Plugin icon
bdthemes-element-pack
Fixed in 7.19.3

References

CVE
CVE-2024-33568
URL
https://patchstack.com/database/wordpress/plugin/bdthemes-element-pack/vulnerability/wordpress-element-pack-pro-plugin-7-7-4-arbitrary-file-read-and-phar-deserialization-vulnerability

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
8.7 (high)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
0b1bc082-3626-4248-956e-14bc7d37ebd4

Timeline

Publicly Published
2024-04-25 (about 2 years ago)
Added
2024-05-01 (about 2 years ago)
Last Updated
2026-04-14 (about 1 month ago)

Other

Published
Title
Published
2026-01-27
Title
Snow Monkey Forms < 12.0.4 - Unauthenticated Arbitrary File Deletion
Published
2024-01-17
Title
WP Recipe Maker < 9.1.1 - Directory Traversal
Published
2024-12-02
Title
ARForms <= 6.4.1 - Directory Traversal to Authenticated (Subscriber+) Arbitrary File Read
Published
2014-08-01
Title
BookX 1.7 - includes/bookx_export.php file Parameter Remote Path Traversal File Access
Published
2026-03-12
Title
Instant VA < 1.0.2 - Authenticated (Subscriber+) Arbitrary File Deletion