CVE-2024-11952 is a path traversal vulnerability classified under CWE-22 found in the Classic Addons – WPBakery Page Builder plugin for WordPress. The flaw exists in all versions up to and including 3.0, where the 'style' parameter can be manipulated by authenticated users with Contributor-level access or higher, provided they have permissions granted by an Administrator. This parameter is vulnerable to limited local PHP file inclusion, allowing attackers to include and execute arbitrary PHP files on the server. The vulnerability is constrained to Windows environments due to the way file paths and extensions are handled. By exploiting this, attackers can bypass normal access controls, execute arbitrary PHP code, and potentially gain full control over the affected server. The vulnerability leverages the ability to upload files that are normally considered safe, such as images, but which can contain embedded PHP code. The CVSS v3.1 score is 7.5 (high), reflecting network attack vector, high impact on confidentiality, integrity, and availability, and requiring low privileges but no user interaction. No public exploits have been reported yet, but the risk is significant given the widespread use of WPBakery Page Builder and the common presence of Contributor-level users in WordPress sites.

This vulnerability poses a significant risk to organizations running WordPress sites with the Classic Addons – WPBakery Page Builder plugin on Windows servers. Successful exploitation can lead to arbitrary code execution, allowing attackers to take full control of the web server, access sensitive data, modify site content, or pivot to other internal systems. The ability to bypass access controls means that even users with limited privileges can escalate their capabilities, increasing insider threat risks. This can result in data breaches, defacement, malware implantation, or use of the compromised server for further attacks. The impact extends to the availability of services if attackers disrupt or disable the website. Given the popularity of WPBakery Page Builder, many websites globally could be affected, especially those hosted on Windows-based infrastructure, which is less common but still significant in certain sectors.

Organizations should immediately review user permissions and restrict Contributor-level and higher access to trusted users only. Administrators should audit the Classic Addons – WPBakery Page Builder plugin usage and disable or remove it if not essential. Since no official patch links are currently available, consider applying virtual patching via web application firewalls (WAFs) to block suspicious requests targeting the 'style' parameter or attempts at path traversal patterns. Monitor logs for unusual file inclusion attempts or unexpected PHP executions. For sites on Windows servers, consider migrating to Linux-based hosting if feasible, as the vulnerability is limited to Windows environments. Regularly update the plugin once a vendor patch is released. Implement strict file upload validation and sanitization policies to prevent uploading files with embedded PHP code disguised as images or other safe types. Conduct thorough security audits and penetration testing focusing on plugin vulnerabilities and privilege escalation paths.