プラットフォーム
wordpress
コンポーネント
xpro-elementor-addons
修正版
1.4.10
CVE-2024-13808 is a critical Remote Code Execution (RCE) vulnerability affecting Xpro Elementor Addons - Pro versions up to 1.4.9. An attacker with Contributor-level access or higher can leverage this flaw to execute arbitrary code on the server. This vulnerability stems from inadequate client-side controls when managing access to the custom PHP widget. A fix is available; upgrading is the recommended solution.
This RCE vulnerability allows an authenticated attacker to gain complete control over the affected WordPress server. An attacker with Contributor access can upload and execute malicious PHP code, potentially leading to data breaches, website defacement, malware installation, or complete server compromise. The blast radius extends to any sensitive data stored on the server, including user credentials, database information, and configuration files. Successful exploitation could also facilitate lateral movement to other systems within the network if the WordPress server has access to them. This vulnerability shares similarities with other plugin-based RCE exploits where insufficient input validation allows for code injection.
CVE-2024-13808 was published on 2025-04-26. As of this date, there are no confirmed reports of active exploitation in the wild. No public proof-of-concept (PoC) code has been released, but the vulnerability's ease of exploitation suggests a high probability of exploitation if it remains unpatched. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing Xpro Elementor Addons - Pro, particularly those with multiple users holding Contributor or higher roles, are at significant risk. Shared hosting environments where users have limited control over plugin updates are also particularly vulnerable. Legacy WordPress installations with outdated security practices are more likely to be targeted.
• wordpress / composer / npm:
grep -r 'custom_php_widget' /var/www/html/wp-content/plugins/xpro-elementor-addons-pro/• wordpress / composer / npm:
wp plugin list --status=active | grep 'xpro-elementor-addons-pro'• wordpress / composer / npm:
curl -I http://your-wordpress-site.com/wp-content/plugins/xpro-elementor-addons-pro/ | grep -i 'Xpro Elementor Addons - Pro'disclosure
エクスプロイト状況
EPSS
1.86% (83% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation is to immediately upgrade Xpro Elementor Addons - Pro to a version higher than 1.4.9, as the vendor has released a patch. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily restricting access to the custom PHP widget functionality. Web Application Firewalls (WAFs) configured to detect and block PHP code execution attempts targeting the widget endpoint can provide an additional layer of defense. Monitor WordPress logs for suspicious activity, particularly requests related to the custom PHP widget. Implement strict user access controls to limit the number of users with Contributor-level access or higher.
Actualice el plugin Xpro Elementor Addons - Pro a la última versión disponible. La vulnerabilidad permite la ejecución remota de código, por lo que es crucial actualizar lo antes posible.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-13808 is a Remote Code Execution vulnerability in Xpro Elementor Addons - Pro versions up to 1.4.9, allowing authenticated users to execute code on the server.
You are affected if you are using Xpro Elementor Addons - Pro version 1.4.9 or earlier. Check your plugin version and upgrade immediately.
Upgrade Xpro Elementor Addons - Pro to a version higher than 1.4.9. Consider temporary restrictions on the custom PHP widget if immediate upgrade is not possible.
As of 2025-04-26, there are no confirmed reports of active exploitation, but the vulnerability's nature suggests a high risk of exploitation.
Refer to the Xpro Elementor Addons official website or WordPress plugin repository for the latest advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。