CVE-2024-37419 describes an improper limitation of a pathname to a restricted directory (CWE-22) in the Codeless Cowidgets – Elementor Addons plugin for Elementor. This flaw allows an attacker to perform path traversal attacks by crafting malicious pathnames, potentially accessing files outside the intended directory scope. The vulnerability affects all versions up to 1.1.1. The CVSS 3.1 base score is 7.5, reflecting high severity with network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact but no integrity or availability impact. No patch or official remediation has been published by the vendor as of the publication date.

An attacker can exploit this vulnerability remotely without authentication or user interaction to access sensitive files on the server by bypassing directory restrictions. This can lead to unauthorized disclosure of confidential information. There is no indication of impact on data integrity or system availability. No known active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting access to the plugin or disabling it if possible. Monitor for vendor updates and apply patches promptly once available.