CVE-2024-5153

CRITICAL

Startklar Elementor Addons <1.7.15 - Path Traversal

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-5153. PoCs published by Sudo-WP.

AI-analyzed exploit summary This repository is a security-patched fork of the abandoned 'Startklar Elementor Addons' plugin, addressing CVE-2024-5153 (Directory Traversal) and Arbitrary File Upload vulnerabilities. It includes hardened code with strict file type validation, CSRF protection, and path sanitization.

Description

The Startklar Elementor Addons plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.7.15 via the 'dropzone_hash' parameter. This makes it possible for unauthenticated attackers to copy the contents of arbitrary files on the server, which can contain sensitive information, and to delete arbitrary directories, including the root WordPress directory.

Exploits (1)

nomisec WORKING POC

by Sudo-WP · poc

https://github.com/Sudo-WP/sudowp-dropzone-elementor

View Code ZIP pw:eip

This repository is a security-patched fork of the abandoned 'Startklar Elementor Addons' plugin, addressing CVE-2024-5153 (Directory Traversal) and Arbitrary File Upload vulnerabilities. It includes hardened code with strict file type validation, CSRF protection, and path sanitization.

Classification

Working Poc 90%

Attack Type

Rce | Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Startklar Elementor Addons (v1.7.15)

No auth needed

Prerequisites: WordPress with Elementor Pro installed · Original vulnerable plugin (Startklar Elementor Addons) must be deactivated/deleted

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Patch

https://plugins.trac.wordpress.org/browser/startklar-elmentor-forms-extwidgets/trunk/widgets/dropzone_form_field.php#L334

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/baa20290-9c01-4f8d-adeb-fbfb15b9d6a9?source=cve

Scores

CVSS v3 9.1

EPSS 0.0100

EPSS Percentile 58.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-22

Status published

Products (2)

web-shop-host/startklar_elmentor_addons < 1.7.15

wshberlin/Startklar Elementor Addons < 1.7.15

Published Jun 06, 2024

Tracked Since Feb 18, 2026