CVE-2024-11617: Envolve Plugin <= 1.0 - Unauthenticated Arbitrary File Upload via language_file and fonts_file
First published: Fri May 09 2025(Updated: )
The Envolve Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'zetra_languageUpload' and 'zetra_fontsUpload' functions in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Envolve Plugin | <=1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-11617?
CVE-2024-11617 has a high severity rating due to the potential for unauthenticated attackers to exploit file upload vulnerabilities.
How do I fix CVE-2024-11617?
To fix CVE-2024-11617, update the Envolve Plugin to the latest version where the file upload validation issue has been resolved.
Who is affected by CVE-2024-11617?
CVE-2024-11617 affects all versions of the Envolve Plugin for WordPress up to and including version 1.0.
What type of vulnerability is CVE-2024-11617?
CVE-2024-11617 is classified as an arbitrary file upload vulnerability due to inadequate file type validation.
Can CVE-2024-11617 be exploited without authentication?
Yes, CVE-2024-11617 can be exploited by unauthenticated attackers, making it particularly dangerous.
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/title
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/description
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/severity
- agent/author
- agent/last-modified-date
- agent/source
- agent/tags
- agent/event
- vendor/envolve
- canonical/envolve plugin