Critical severity9.1NVD Advisory· Published May 7, 2024· Updated Apr 15, 2026

CVE-2024-4346

Description

The Startklar Elementor Addons plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 1.7.13. This is due to the plugin not properly validating the path of an uploaded file prior to deleting it. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/startklar-elmentor-forms-extwidgets/trunk/startklarDropZoneUploadProcess.phpnvd
plugins.trac.wordpress.org/changeset/3081987/startklar-elmentor-forms-extwidgetsnvd
www.wordfence.com/threat-intel/vulnerabilities/id/a125bbf1-8ff6-4f3d-a4fb-caaaefe1df2anvd

News mentions

No linked articles in our index yet.

cvss	0.591
epss	0.018
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000