Elementor is one of the most popular WordPress website builders. But in versions up to 3.19., a serious security hole—CVE-2024-24934—puts your website at risk. If you own or manage a WordPress website that uses Elementor, you need to know about this vulnerability and how hackers can use it to access files on your server.
What is CVE-2024-24934?
CVE-2024-24934 is an "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" vulnerability affecting Elementor Website Builder from versions n/a through 3.19.. In simple terms, Elementor failed to properly restrict how users (or attackers) provide filenames when interacting with the plugin’s features.
A skilled attacker can abuse this by tricking Elementor into opening or writing to files outside of the intended directories—even system or configuration files. This breaks the intended security barrier between your website’s public features and the sensitive files underpinning your WordPress website.
How Does Path Traversal Work?
Path traversal happens when a web application lets someone input folder names (like in image upload or download features), but it doesn't check well enough for dangerous patterns. For example, if the code doesn’t block things like ../, an attacker can move "up" the folder tree and grab files they're not supposed to access.
Normal input:
/uploads/image.png
Malicious input:
/uploads/../../wp-config.php
If Elementor's file handler doesn't stop this, an attacker could download the site's wp-config.php (which includes the database username and password), or potentially write malicious files.
What Part of Elementor Was Vulnerable?
While Elementor didn’t publish full technical details, according to their official changelog and WPScan advisory, a vulnerable component processed file paths in a way that could be manipulated using path traversal techniques.
Affected versions: Elementor Website Builder, n/a through 3.19.
Patched in: 3.20.
Code Snippet: Example of a Path Traversal Vulnerability
To help you understand the danger, here’s an example of what *bad* PHP code might look like inside a plugin handling files:
// Example: vulnerable file download code
if (isset($_GET['file'])) {
$filename = $_GET['file'];
$filepath = '/var/www/html/wp-content/uploads/' . $filename;
if (file_exists($filepath)) {
readfile($filepath);
}
}
If you request:
https://your-site.com/?file=../../wp-config.php
the script would happily serve you the site's configuration file, because it never checks for ../ or sane file limits!
A secure version could look like
if (isset($_GET['file'])) {
$filename = basename($_GET['file']); // THIS REMOVES ANY PATH COMPONENTS!
$filepath = '/var/www/html/wp-content/uploads/' . $filename;
if (file_exists($filepath)) {
readfile($filepath);
}
}
Or better still, check carefully that $filepath lives *strictly* inside the intended directory.
Researchers and exploiters used attacks like this
1. Identify a file handling endpoint – Use tools or manual browsing to find Elementor features that include a file= or similar parameter.
2. Send a crafted request – Replace the filename with something like ../../wp-config.php or ../../../etc/passwd (on Linux).
Check the result – If the file returns, you’re vulnerable. Attackers might automate this.
4. What’s next? – With sensitive files in hand, hackers can steal your database, deface your site, or gain total control.
Example exploit HTTP request
GET /wp-admin/admin-ajax.php?action=elementor_handler&file=../../wp-config.php HTTP/1.1
Host: victimwebsite.com
References & Official Advisories
- WordPress Elementor plugin Changelog
- WPScan Vulnerability Details
- NVD Entry for CVE-2024-24934
- Elementor Security Changelog
Update Elementor to version 3.20. or later immediately.
- Scan your WordPress site for indicators of compromise (unexpected files, altered settings, unknown admin users).
Takeaway
If you're running Elementor Website Builder below version 3.20., your website is at risk from this path traversal vulnerability. Patch now, audit your site, and stay secured.
Stay safe and keep your plugins up to date!
*(This article is exclusive to this post and summarizes publicly available information for educational purposes.)*
Timeline
Published on: 05/17/2024 09:15:25 UTC
Last modified on: 05/17/2024 18:36:05 UTC