CVE-2024-13808

HIGH

Xpro Elementor Addons - Pro <= 1.4.9 - Authenticated Remote Code Execution via Custom PHP Widget

Title source: llm

Description

The Xpro Elementor Addons - Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.4.9 via the custom PHP widget. This is due to their only being client side controls when determining who can access the widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

References (2)

Core 2

Core References

Product

https://elementor.wpxpro.com

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/0833e55f-22aa-44c9-aff6-1f3b74016e4c?source=cve

Scores

CVSS v3 8.8

EPSS 0.0062

EPSS Percentile 45.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (2)

WPXpro/Xpro Elementor Addons - Pro < 1.4.9

wpxpro/xpro_addons_for_elementor < 1.4.10

Published Apr 26, 2025

Tracked Since Feb 18, 2026