WordPress Plugin Vulnerabilities

Layouts for Elementor < 1.8 - Missing Authorization to Unauthenticated Arbitrary File Upload

Description

The Layouts for Elementor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the handle_import() function in all versions up to, and including, 1.7. This makes it possible for unauthenticated attackers to upload arbitrary files that can be used to achieve remote code execution.

Affects Plugins

Plugin icon
layouts-for-elementor
Fixed in 1.8

References

CVE
CVE-2024-30533
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1feb3fa0-5fd9-443a-830c-cb1700ff30df

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
10 (critical)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
0a099404-6a8f-4184-b236-29667fe22098

Timeline

Publicly Published
2024-03-29 (about 2 years ago)
Added
2024-04-03 (about 2 years ago)
Last Updated
2024-04-03 (about 2 years ago)

Other

Published
Title
Published
2026-02-19
Title
Court Reservation <= 1.10.11 - Missing Authorization
Published
2024-06-06
Title
Media Slider – Photo Sleder, Video Slider, Link Slider, Carousal Slideshow < 1.4.0 - Missing Authorization
Published
2025-11-28
Title
Show Variations as Single Products Woocommerce < 3.0 - Missing Authorization
Published
2025-12-30
Title
JetBlog < 2.4.7.1 - Missing Authorization
Published
2026-02-11
Title
LatePoint – Calendar Booking Plugin for Appointments and Events < 5.2.7 - Missing Authorization to Booking Details Exposure