First published: Tue Mar 07 2023(Updated: )
The Plus Addons for Elementor plugin for WordPress is vulnerable to arbitrary file reads in versions up to, and including 4.1.9 (pro) and 2.0.6 (free). The plugin has a feature to add an "Info Box" to an Elementor created page. This Info Box can include an SVG image for the box. Unfortunately, the plugin used file_get_contents with no verification that the file being supplied was an SVG file, so any user with access to the Elementor page builder, such as contributors, could read arbitrary files on the WordPress installation.
Credit: security@wordfence.com
Affected Software | Affected Version | How to fix |
---|---|---|
Posimyth The Plus Addons For Elementor | <=2.0.6 | |
Posimyth The Plus Addons For Elementor | <=4.1.9 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-4332 is a vulnerability in the Plus Addons for Elementor plugin for WordPress that allows arbitrary file reads.
Versions up to and including 4.1.9 (pro) and 2.0.6 (free) of the Plus Addons for Elementor plugin are affected by CVE-2021-4332.
CVE-2021-4332 has a severity score of 6.5, which is considered medium.
To fix CVE-2021-4332, update to a version of the Plus Addons for Elementor plugin that is higher than 4.1.9 (pro) or 2.0.6 (free).
You can find more information about CVE-2021-4332 at the following references: [Reference 1](https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2523506%40the-plus-addons-for-elementor-page-builder&new=2523506%40the-plus-addons-for-elementor-page-builder&sfp_email=&sfph_mail=) and [Reference 2](https://www.wordfence.com/threat-intel/vulnerabilities/id/aa698e7e-b1c7-4ead-aa2e-7fbfc9dfac80).