CVE-2024-5455

Name of the Vulnerable Software and Affected Versions: Plus Addons for Elementor Page Builder plugin for WordPress versions up to, and including, 5.5.4

Description: The issue allows authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server via the magazine style parameter within the Dynamic Smart Showcase widget. This enables the execution of any PHP code in those files, which can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Recommendations: Update to version 5.5.5 to resolve the issue. As a temporary workaround, consider restricting access to the Dynamic Smart Showcase widget until a patch is available. Avoid using the magazine style parameter in the affected widget until the issue is resolved.