CVE-2024-11617 | The Envolve Plugin plugin for WordPress is vulnerable to arb… | CVSS 9.8 CRITICAL

Description

The Envolve Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'zetra_languageUpload' and 'zetra_fontsUpload' functions in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Metadata

CVE ID: CVE-2024-11617
State: PUBLISHED
Assigner: Wordfence
Reserved: 2024-11-22 12:24 UTC
Published: 2025-05-09 06:42 UTC
Last updated: 2026-04-08 17:24 UTC
Primary CWE: CWE-434
CWE-434 Unrestricted Upload of File with Dangerous Type
Vendor / Product: ThemeKalia / Envolve Plugin
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
ThemeKalia	Envolve Plugin	—	0 ≤ 1.0

Weakness (CWE)

CWE	Source	Description
CWE-434	cna	CWE-434 Unrestricted Upload of File with Dangerous Type

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (2)