WordPress Plugin Vulnerabilities

Xpro Elementor Addons < 1.4.20 - Authenticated (Author+) Arbitrary File Upload

Description

The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.4.19.1. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
xpro-elementor-addons
Fixed in 1.4.20

References

CVE
CVE-2025-69312
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8c93991e-9a71-4600-94a0-8c344ed6bc81

Miscellaneous

Original Researcher
Mdr
Verified
No
WPVDB ID
eeb85730-f9b9-4315-ae28-7b38717f4495

Timeline

Publicly Published
2026-01-19 (about 5 months ago)
Added
2026-01-28 (about 4 months ago)
Last Updated
2026-01-28 (about 4 months ago)

Other

Published
Title
Published
2014-08-01
Title
Switchblade 1.3 - Arbitrary File Upload
Published
2024-11-13
Title
B-Banner Slider <= 1.1 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2025-07-11
Title
Helpdesk Support Ticket System for WooCommerce <= 2.1.0 - Unauthenticated Arbitrary File Upload
Published
2025-03-28
Title
Inline Image Upload for BBPress < 1.1.20 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2014-08-01
Title
Magn WP Drag & Drop <= 1.1.4 - Upload Shell Upload