CVE-2024-50453 identifies a Relative Path Traversal vulnerability in the webangon The Pack Elementor addons, specifically versions up to and including 2.0.9. This vulnerability allows an attacker to manipulate file path inputs to include local files on the server via PHP Local File Inclusion (LFI). The root cause is inadequate sanitization and validation of user-controlled input that is used in file inclusion operations within the plugin's codebase. By exploiting this flaw, an attacker can access sensitive files such as configuration files, password stores, or other critical data residing on the server. In some cases, this can lead to remote code execution if the attacker can include files containing malicious code or upload crafted payloads. The vulnerability does not require authentication, making it accessible to unauthenticated remote attackers who can send crafted requests to the vulnerable WordPress site. The Pack Elementor addons are widely used to extend Elementor page builder functionality, which is popular among WordPress users globally. Although no public exploits have been reported at the time of publication, the potential impact is significant due to the common deployment of the affected plugin. The absence of a CVSS score indicates this is a newly disclosed vulnerability, and the lack of official patches at the time of reporting means organizations must apply alternative mitigations or monitor for updates. The vulnerability was reserved and published in late October 2024 by Patchstack, a known security entity specializing in WordPress vulnerabilities.

The primary impact of CVE-2024-50453 is unauthorized local file inclusion, which can lead to exposure of sensitive server files, including configuration files, credentials, or other private data. This can compromise confidentiality and potentially integrity if attackers leverage the vulnerability to execute arbitrary PHP code on the server. Exploitation could result in full site compromise, data breaches, defacement, or pivoting to other internal systems. For organizations relying on WordPress sites with The Pack Elementor addons, this vulnerability threatens the availability and trustworthiness of their web presence. The ease of exploitation without authentication increases the risk of widespread attacks, especially on sites with poor monitoring or outdated plugins. The lack of known exploits in the wild currently limits immediate impact, but this may change rapidly once exploit code becomes publicly available. The vulnerability could also be leveraged in targeted attacks against organizations with high-value web assets or sensitive data hosted on vulnerable WordPress installations.

Organizations should immediately verify if The Pack Elementor addons are installed and identify the plugin version. Since no official patch is currently available, temporary mitigations include disabling or uninstalling the vulnerable plugin until a fixed version is released. Restricting access to the WordPress admin area and limiting HTTP request methods that can trigger the vulnerability may reduce exposure. Web Application Firewalls (WAFs) should be configured to detect and block suspicious path traversal patterns or attempts to include local files. Monitoring web server logs for unusual file inclusion attempts or errors can provide early detection of exploitation attempts. Administrators should subscribe to vendor or security mailing lists for updates on patches and apply them promptly once available. Additionally, following WordPress security best practices such as least privilege for file permissions and regular backups will help mitigate potential damage. Conducting a thorough security audit of all plugins and themes to ensure they are up to date and from trusted sources is recommended.