Shortcode Addons <= 3.2.5 – Authenticated (Admin+) Arbitrary File Upload | CVE 2024-31114 | Plugin Vulnerabilities

Description

The Shortcode Addons- with Visual Composer, Divi, Beaver Builder and Elementor Extension plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 3.2.5. This makes it possible for authenticated attackers, with administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

shortcode-addons

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9addaa26-46b3-4fbf-8986-0b8c8f2dd286

Miscellaneous

Original Researcher

Peng Zhou

Verified

No

WPVDB ID

ee95ece1-bb51-4cbb-9552-ae9a4090b16e

Timeline

Publicly Published

2024-03-29 (about 2 years ago)

Added

2024-04-03 (about 2 years ago)

Last Updated

2024-04-03 (about 2 years ago)

Other

Published

Title

Published

2022-03-14

Title

MapPress Maps for WordPress < 2.73.13 - Admin+ File Upload to Remote Code Execution

Published

2026-03-18

Title

Wishlist Member <= 3.29.0 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2025-06-11

Title

Workreap < 3.3.3 - Authenticated (Subscriber+) Arbitrary File Upload via 'workreap_temp_upload_to_media'

Published

2021-02-10

Title

Responsive Menu 4.0.0 - 4.0.3 - Authenticated Arbitrary File Upload

Published

2025-05-27

Title

MasterStudy LMS Pro < 4.7.1 - Authenticated (Subscriber+) Arbitrary File Upload