CVE-2021-4332

Name of the Vulnerable Software and Affected Versions The Plus Addons for Elementor plugin for WordPress versions up to, and including 4.1.9 (pro) and 2.0.6 (free)

Description The plugin is vulnerable to arbitrary file reads due to a feature that allows adding an "Info Box" to an Elementor created page, which can include an SVG image. The plugin uses file get contents with no verification that the file being supplied is an SVG file, allowing any user with access to the Elementor page builder to read arbitrary files on the WordPress installation.

Recommendations For versions up to, and including 4.1.9 (pro) and 2.0.6 (free), update to a version that fixes this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.