CVE-2024-4346 Overview
The Startklar Elementor Addons plugin for WordPress contains a critical arbitrary file deletion vulnerability affecting all versions up to and including 1.7.13. The vulnerability stems from improper validation of file paths during the file deletion process. This flaw enables unauthenticated attackers to delete arbitrary files on the server, including critical WordPress configuration files such as wp-config.php, potentially leading to complete site takeover and remote code execution.
Critical Impact
Unauthenticated attackers can delete arbitrary files including wp-config.php, enabling site takeover and remote code execution without any authentication.
Affected Products
- Startklar Elementor Addons plugin for WordPress versions up to and including 1.7.13
- WordPress sites using vulnerable versions of the Startklar Elementor Addons plugin
Discovery Timeline
- May 7, 2024 - CVE-2024-4346 published to NVD
- April 8, 2026 - Last updated in NVD database
Technical Details for CVE-2024-4346
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Path Traversal), a category of security flaws where improper neutralization of special elements used in a pathname allows attackers to access or manipulate files outside the intended directory. In this case, the Startklar Elementor Addons plugin fails to properly validate the path of uploaded files before executing deletion operations.
The vulnerability is particularly severe because it can be exploited without any authentication. An attacker can manipulate the file path parameter to traverse directories and target any file accessible to the web server process. The deletion of wp-config.php is especially dangerous as it contains database credentials and security keys, and its removal forces WordPress into installation mode, allowing attackers to reconfigure the site with their own credentials.
Root Cause
The root cause lies in the startklarDropZoneUploadProcess.php file, which processes file operations for the plugin's dropzone functionality. The vulnerable code accepts user-supplied file paths without proper sanitization or validation, allowing path traversal sequences (such as ../) to escape the intended upload directory. The plugin fails to implement adequate security measures such as canonicalization of paths, validation against a whitelist of allowed directories, or verification that the target file resides within expected boundaries.
Attack Vector
The attack can be executed remotely over the network without requiring any user interaction or authentication. An attacker crafts a malicious request targeting the vulnerable file deletion endpoint, including path traversal sequences in the file path parameter. By manipulating the path to point to critical WordPress files like wp-config.php, the attacker can delete essential configuration files.
Once wp-config.php is deleted, WordPress enters its installation wizard state, allowing the attacker to configure a new database connection and create an administrator account. This provides complete control over the WordPress site and enables further exploitation including the installation of malicious plugins or backdoors for persistent access.
Detection Methods for CVE-2024-4346
Indicators of Compromise
- Unexpected deletion of critical WordPress files such as wp-config.php, .htaccess, or index.php
- WordPress site displaying installation wizard unexpectedly
- Suspicious HTTP requests to /wp-content/plugins/startklar-elmentor-forms-extwidgets/startklarDropZoneUploadProcess.php containing path traversal sequences (../)
- Web server logs showing unusual POST requests with directory traversal patterns targeting the vulnerable plugin endpoint
Detection Strategies
- Monitor web server access logs for requests containing ../ sequences targeting the Startklar Elementor Addons plugin directory
- Implement file integrity monitoring to detect unauthorized deletion or modification of critical WordPress files
- Deploy Web Application Firewall (WAF) rules to block requests containing path traversal patterns
- Configure intrusion detection systems to alert on suspicious file deletion patterns
Monitoring Recommendations
- Enable detailed logging for PHP file operations and monitor for unexpected file deletions
- Set up alerts for changes to critical WordPress files including wp-config.php, .htaccess, and core WordPress files
- Monitor for WordPress sites entering installation mode as this may indicate successful exploitation
- Review plugin activity logs for unusual behavior from the Startklar Elementor Addons plugin
How to Mitigate CVE-2024-4346
Immediate Actions Required
- Update Startklar Elementor Addons plugin to the latest patched version immediately
- Audit WordPress installations to verify the presence and integrity of critical files including wp-config.php
- Temporarily deactivate and remove the Startklar Elementor Addons plugin if immediate update is not possible
- Review web server logs for evidence of prior exploitation attempts
- Implement a Web Application Firewall to block path traversal attacks
Patch Information
The vulnerability has been addressed in plugin updates following version 1.7.13. Users should update to the latest available version through the WordPress plugin repository. The WordPress Plugin Changeset documents the security fixes applied to address this vulnerability. Additional details are available in the Wordfence Vulnerability Report.
Workarounds
- Disable the Startklar Elementor Addons plugin until the patch can be applied
- Restrict access to the startklarDropZoneUploadProcess.php file through web server configuration
- Implement server-level path traversal filtering using ModSecurity or similar WAF solutions
- Apply file permission hardening to prevent the web server user from deleting critical configuration files
# Configuration example: Block access to vulnerable endpoint via .htaccess
<FilesMatch "startklarDropZoneUploadProcess\.php$">
Order Deny,Allow
Deny from all
</FilesMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
