WordPress Plugin Vulnerabilities

Elementor Addon Elements < 1.13 - Contributor+ to LFI

Description

The Elementor Addon Elements plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.12.12 via the render function. This makes it possible for authenticated attackers, with contributor access or higher, to include the contents of arbitrary PHP files on the server, which may expose sensitive information.

Affects Plugins

Plugin icon
addon-elements-for-elementor-page-builder
Fixed in 1.13

References

CVE
CVE-2024-1358
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/20cd3fff-0488-4bc2-961b-2427925e6a96

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
7.2 (high)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
b228e120-046e-4c97-be33-188ad17218a4

Timeline

Publicly Published
2024-02-21 (about 2 years ago)
Added
2024-02-25 (about 2 years ago)
Last Updated
2024-02-26 (about 2 years ago)

Other

Published
Title
Published
2025-06-27
Title
BeeTeam368 Extensions Pro < 2.3.5 - Authenticated (Subscriber+) Directory Traversal to Arbitrary File Deletion
Published
2024-01-19
Title
Photo Gallery by 10Web - Mobile-Friendly Image Gallery < 1.8.20 - Directory Traversal to Arbitrary File Rename
Published
2025-01-30
Title
MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution < 4.2.15 - Unauthenticated Limited Local File Inclusion
Published
2024-12-05
Title
DELUCKS SEO <= 2.7.0 - Subscriber+ Arbitrary File Read
Published
2025-06-04
Title
Spice Blocks < 2.0.7.5 - Unauthenticated Arbitrary File Download