Search criteria
4 vulnerabilities found for Envolve Plugin by ThemeKalia
CVE-2024-11617 (GCVE-0-2024-11617)
Vulnerability from nvd – Published: 2025-05-09 06:42 – Updated: 2026-04-08 17:24
VLAI?
Title
Envolve Plugin <= 1.0 - Unauthenticated Arbitrary File Upload via language_file and fonts_file
Summary
The Envolve Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'zetra_languageUpload' and 'zetra_fontsUpload' functions in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Severity ?
9.8 (Critical)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ThemeKalia | Envolve Plugin |
Affected:
0 , ≤ 1.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11617",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-09T16:14:58.668723Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-09T16:15:53.245Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Envolve Plugin",
"vendor": "ThemeKalia",
"versions": [
{
"lessThanOrEqual": "1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Friderika Baranyai"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Envolve Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the \u0027zetra_languageUpload\u0027 and \u0027zetra_fontsUpload\u0027 functions in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site\u0027s server which may make remote code execution possible."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:24:54.488Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d0ad02d9-546f-4bcb-b567-785e3acfb489?source=cve"
},
{
"url": "https://themeforest.net/item/envolve-consulting-business-wordpress-theme/28748459"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-22T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-05-08T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Envolve Plugin \u003c= 1.0 - Unauthenticated Arbitrary File Upload via language_file and fonts_file"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11617",
"datePublished": "2025-05-09T06:42:35.817Z",
"dateReserved": "2024-11-22T12:24:04.575Z",
"dateUpdated": "2026-04-08T17:24:54.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-11615 (GCVE-0-2024-11615)
Vulnerability from nvd – Published: 2025-05-05 16:21 – Updated: 2026-04-08 16:33
VLAI?
Title
Envolve Plugin <= 1.0 - Unauthenticated Language File Deletion
Summary
The Envolve Plugin plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 1.0 via the 'zetra_deleteLanguageFile' and 'zetra_deleteFontsFile' functions. This is due to the plugin not properly validating a file or its path prior to deleting it. This makes it possible for unauthenticated attackers to delete language files.
Severity ?
5.3 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ThemeKalia | Envolve Plugin |
Affected:
0 , ≤ 1.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11615",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-05T16:39:53.767947Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T16:46:41.176Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Envolve Plugin",
"vendor": "ThemeKalia",
"versions": [
{
"lessThanOrEqual": "1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Istv\u00e1n M\u00e1rton"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Envolve Plugin plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 1.0 via the \u0027zetra_deleteLanguageFile\u0027 and \u0027zetra_deleteFontsFile\u0027 functions. This is due to the plugin not properly validating a file or its path prior to deleting it. This makes it possible for unauthenticated attackers to delete language files."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:33:24.869Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05909e9c-4f57-4556-bae9-b0b63a9a43ba?source=cve"
},
{
"url": "https://themeforest.net/item/envolve-consulting-business-wordpress-theme/28748459"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-22T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-05-05T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Envolve Plugin \u003c= 1.0 - Unauthenticated Language File Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11615",
"datePublished": "2025-05-05T16:21:46.262Z",
"dateReserved": "2024-11-22T05:56:58.361Z",
"dateUpdated": "2026-04-08T16:33:24.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-11617 (GCVE-0-2024-11617)
Vulnerability from cvelistv5 – Published: 2025-05-09 06:42 – Updated: 2026-04-08 17:24
VLAI?
Title
Envolve Plugin <= 1.0 - Unauthenticated Arbitrary File Upload via language_file and fonts_file
Summary
The Envolve Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'zetra_languageUpload' and 'zetra_fontsUpload' functions in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Severity ?
9.8 (Critical)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ThemeKalia | Envolve Plugin |
Affected:
0 , ≤ 1.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11617",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-09T16:14:58.668723Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-09T16:15:53.245Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Envolve Plugin",
"vendor": "ThemeKalia",
"versions": [
{
"lessThanOrEqual": "1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Friderika Baranyai"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Envolve Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the \u0027zetra_languageUpload\u0027 and \u0027zetra_fontsUpload\u0027 functions in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site\u0027s server which may make remote code execution possible."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:24:54.488Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d0ad02d9-546f-4bcb-b567-785e3acfb489?source=cve"
},
{
"url": "https://themeforest.net/item/envolve-consulting-business-wordpress-theme/28748459"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-22T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-05-08T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Envolve Plugin \u003c= 1.0 - Unauthenticated Arbitrary File Upload via language_file and fonts_file"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11617",
"datePublished": "2025-05-09T06:42:35.817Z",
"dateReserved": "2024-11-22T12:24:04.575Z",
"dateUpdated": "2026-04-08T17:24:54.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-11615 (GCVE-0-2024-11615)
Vulnerability from cvelistv5 – Published: 2025-05-05 16:21 – Updated: 2026-04-08 16:33
VLAI?
Title
Envolve Plugin <= 1.0 - Unauthenticated Language File Deletion
Summary
The Envolve Plugin plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 1.0 via the 'zetra_deleteLanguageFile' and 'zetra_deleteFontsFile' functions. This is due to the plugin not properly validating a file or its path prior to deleting it. This makes it possible for unauthenticated attackers to delete language files.
Severity ?
5.3 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ThemeKalia | Envolve Plugin |
Affected:
0 , ≤ 1.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11615",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-05T16:39:53.767947Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T16:46:41.176Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Envolve Plugin",
"vendor": "ThemeKalia",
"versions": [
{
"lessThanOrEqual": "1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Istv\u00e1n M\u00e1rton"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Envolve Plugin plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 1.0 via the \u0027zetra_deleteLanguageFile\u0027 and \u0027zetra_deleteFontsFile\u0027 functions. This is due to the plugin not properly validating a file or its path prior to deleting it. This makes it possible for unauthenticated attackers to delete language files."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:33:24.869Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05909e9c-4f57-4556-bae9-b0b63a9a43ba?source=cve"
},
{
"url": "https://themeforest.net/item/envolve-consulting-business-wordpress-theme/28748459"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-22T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-05-05T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Envolve Plugin \u003c= 1.0 - Unauthenticated Language File Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11615",
"datePublished": "2025-05-05T16:21:46.262Z",
"dateReserved": "2024-11-22T05:56:58.361Z",
"dateUpdated": "2026-04-08T16:33:24.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}