WordPress Plugin Vulnerabilities

Plus Addons for Elementor < 2.0.7 - Contributor+ Arbitrary File Access

Description

The plugin does not validate that the file to be included as an SVG in the Info Box is actually an SVG, allowing users with the role of Contributor and above to read arbitrary files on the server

Affects Plugins

Plugin icon
the-plus-addons-for-elementor-page-builder
Fixed in 2.0.7

References

CVE
CVE-2021-4332

Classification

Type
FILE DOWNLOAD
OWASP top 10
A1: Injection
CWE
CWE-552
CVSS
4.9 (medium)

Miscellaneous

Original Researcher
Chloe Chamberland
Verified
No
WPVDB ID
2f9256c9-9fdf-454c-8f74-3a76d2efa117

Timeline

Publicly Published
2021-04-14 (about 4 years ago)
Added
2023-03-07 (about 3 years ago)
Last Updated
2023-03-07 (about 3 years ago)

Other

Published
Title
Published
2025-02-23
Title
Download Manager < 3.3.07 - Unauthenticated Data Exposure
Published
2019-06-02
Title
Simple File List < 3.2.8 - Unauthenticated Arbitrary File Download
Published
2025-07-23
Title
Security Ninja 5.201 - 5.242 - Admin+ Arbitrary File Read
Published
2024-10-10
Title
Contact Form by Bit Form< 2.15.3 - Admin+ Arbitrary File Read
Published
2025-09-03
Title
atec Debug < 1.2.23 - Admin+ Arbitrary File Read