CVE-2024-37520: 
WordPress vulnerability analysis and mitigation

A Path Traversal vulnerability (CVE-2024-37520) was identified in RadiusTheme ShopBuilder – Elementor WooCommerce Builder Addons affecting versions through 2.1.12. The vulnerability was discovered by João Pedro Soares de Alcântara and publicly disclosed on July 5, 2024 (Patchstack).

The vulnerability is classified as an Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) issue, identified as CWE-22. It received a CVSS v3.1 base score of 8.8 (High) from NVD with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while Patchstack assigned a CVSS score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability could allow a malicious actor to include local files of the target website and display their contents. This could potentially expose sensitive information such as database credentials, which depending on the configuration, might lead to complete database compromise (Patchstack).

The vulnerability has been fixed in version 2.1.13 of the ShopBuilder – Elementor WooCommerce Builder Addons plugin. Users are advised to update to version 2.1.13 or later to remove the vulnerability (Patchstack).