140+ Widgets | Best Addons For Elementor – FREE < 1.4.3.2 – Authenticated (Contributor+) PHP Object Injection | CVE 2024-4471 | Plugin Vulnerabilities

Description

The 140+ Widgets | Best Addons For Elementor – FREE for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.4.3.1 via deserialization of untrusted input in the 'export_content' function. This allows authenticated attackers, with contributor-level permissions and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Thanks,
Francesco

Affects Plugins

xpro-elementor-addons

Fixed in 1.4.3.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/5c517278-9d2a-4ef6-bf0e-a62f6b00dd20

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

b8843471-6f14-415a-9614-0da1b1419c45

Timeline

Publicly Published

2024-05-22 (about 2 years ago)

Added

2024-05-23 (about 2 years ago)

Last Updated

2024-05-23 (about 2 years ago)

Other

Published

Title

Published

2025-10-29

Title

Jannah < 7.6.1 - Unauthenticated PHP Object Injection

Published

2026-04-22

Title

EmallShop < 2.4.22 - Unauthenticated PHP Object Injection

Published

2026-03-03

Title

Pets Club <= 2.3 - Unauthenticated PHP Object Injection

Published

2022-11-21

Title

Cooked Pro < 1.7.5.7 - Unauthenticated PHP Object Injection

Published

2022-12-13

Title

WP Custom Admin Interface < 7.29 - Admin+ PHP Object Injection