CVE-2024-5147 is a critical security vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, i.e., Path Traversal) found in the WPZOOM Addons for Elementor (Templates, Widgets) WordPress plugin. This vulnerability affects all versions up to and including 1.1.37. The flaw exists in the handling of the 'grid_style' parameter, which does not properly sanitize user input, allowing attackers to manipulate file paths and perform Local File Inclusion (LFI). By exploiting this, an unauthenticated attacker can include arbitrary files from the server, potentially executing malicious PHP code embedded within those files. This can lead to full remote code execution (RCE), enabling attackers to bypass access controls, steal sensitive data, or take over the affected web server. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS v3.1 base score is 9.8, reflecting the critical nature of the vulnerability with high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability's characteristics make it highly exploitable. The plugin is widely used in WordPress environments, which increases the potential attack surface. No official patch links were provided at the time of disclosure, emphasizing the need for immediate defensive measures.

The impact of CVE-2024-5147 is severe for organizations running WordPress sites with the vulnerable WPZOOM Addons for Elementor plugin. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary PHP code on the web server. This can result in complete server compromise, data breaches involving sensitive customer or business data, defacement of websites, and use of compromised servers as pivot points for further attacks within corporate networks. The vulnerability also enables bypassing of access controls, potentially exposing internal files and configurations. Given WordPress's widespread use for business, e-commerce, and content management globally, the threat can disrupt operations, damage reputation, and incur regulatory penalties if sensitive data is exposed. The ease of exploitation without authentication or user interaction increases the likelihood of automated attacks and mass exploitation campaigns once public exploits emerge.

1. Immediately disable or uninstall the WPZOOM Addons for Elementor (Templates, Widgets) plugin until a secure patch is released. 2. If disabling the plugin is not feasible, restrict access to the vulnerable functionality by implementing web application firewall (WAF) rules that block requests containing suspicious 'grid_style' parameter values or path traversal patterns. 3. Harden file upload mechanisms by enforcing strict file type validation and limiting upload directories to prevent execution of uploaded files. 4. Monitor web server and application logs for unusual file inclusion attempts or anomalous requests targeting the 'grid_style' parameter. 5. Keep WordPress core, themes, and all plugins updated to the latest versions to reduce exposure to known vulnerabilities. 6. Employ principle of least privilege for web server and application file permissions to limit the impact of potential exploitation. 7. Prepare incident response plans to quickly isolate and remediate compromised systems if exploitation is detected. 8. Once available, promptly apply official patches from WPZOOM addressing this vulnerability.