Custom Icons for Elementor < 0.3.4 – Authenticated (Admin+) Arbitrary File Upload | CVE 2024-49676 | Plugin Vulnerabilities

Description

The Custom Icons for Elementor plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 0.3.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

custom-icons-for-elementor

Fixed in 0.3.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/06b31f3a-8516-427c-b819-7bcf2717705b

Miscellaneous

Original Researcher

tahu.datar

Verified

No

WPVDB ID

77cda613-994a-4742-bc12-581f724387b5

Timeline

Publicly Published

2024-10-21 (about 1 year ago)

Added

2024-10-30 (about 1 year ago)

Last Updated

2024-10-30 (about 1 year ago)

Other

Published

Title

Published

2023-11-01

Title

Drag and Drop Multiple File Upload - Contact Form 7 < 1.3.7.4 - Unauthenticated Arbitrary File Upload

Published

2023-08-28

Title

Folders < 2.9.3 - Authenticated (Author+) Arbitrary File Upload in handle_folders_file_upload

Published

2025-08-04

Title

WP Import Export Lite < 3.9.30 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2024-07-08

Title

Gutenberg Forms <= 2.2.9 - Unauthenticated Arbitrary File Upload

Published

2024-05-06

Title

canvasio3D Light <= 2.5.0 - Authenticated (Subscriber+) Arbitrary File Upload