CVE-2024-13808

Name of the Vulnerable Software and Affected Versions The Xpro Elementor Addons - Pro plugin for WordPress versions 1.4.9 and below

Description The Xpro Elementor Addons - Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.4.9 via the custom PHP widget. This is due to their only being client side controls when determining who can access the widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

Recommendations For versions 1.4.9 and below, consider disabling the custom PHP widget until a patch is available to prevent Remote Code Execution. Restrict access to the custom PHP widget to minimize the risk of exploitation. Avoid using the custom PHP widget in the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.