WordPress Plugin Vulnerabilities

PDF Generator Addon for Elementor Page Builder < 2.0.1 - Unauthenticated Arbitrary File Download

Description

The PDF Generator Addon for Elementor Page Builder plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.0.0 via the rtw_pgaepb_dwnld_pdf() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

Affects Plugins

Plugin icon
pdf-generator-addon-for-elementor-page-builder
Fixed in 2.0.1

References

CVE
CVE-2024-9935
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/36daf2af-1db3-4b35-8849-480212660b2f

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
7.5 (high)

Miscellaneous

Original Researcher
stealthcopter
Verified
No
WPVDB ID
6b25a95d-499f-4d53-800b-bf9e16bc8eb0

Timeline

Publicly Published
2024-11-15 (about 1 year ago)
Added
2024-11-15 (about 1 year ago)
Last Updated
2024-11-27 (about 1 year ago)

Other

Published
Title
Published
2024-09-24
Title
CSS JS Files < 1.5.1 - Authenticated (Admin+) Arbitrary File Read
Published
2025-02-22
Title
Helloprint < 2.1.0 - Unauthenticated Arbitrary File Deletion
Published
2023-09-28
Title
Simple File List < 6.1.10 - Unauthenticated Arbitrary File Deletion
Published
2025-04-03
Title
The Wound <= 0.0.1 - Unauthenticated LFI
Published
2026-01-13
Title
Hostme v2 <= 7.0 - Unauthenticated Arbitrary File Deletion