Cyber Posture

CVE-2024-11600

HighRCE

Published: 30 January 2025

Published
30 January 2025
Modified
08 April 2026
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0081 74.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11600 is a high-severity Code Injection (CWE-94) vulnerability in Visualmodo Borderless. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 25.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mandates timely identification, reporting, and patching of software flaws like the unsanitized JSON import in the Borderless plugin enabling RCE.

SI-10 Information Input Validation good match
prevent

Requires validation and sanitization of information inputs such as imported JSON files to block code injection vulnerabilities exploited in this CVE.

CM-11 User-installed Software partial match
prevent

Establishes policies to restrict or monitor user installation of third-party plugins like Borderless that introduce RCE risks via inadequate input handling.

NVD Description

The Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.6.0 via the 'write_config' function. This is due to a lack of…

more

sanitization on an imported JSON file. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.

Deeper analysisAI

CVE-2024-11600 is a remote code execution vulnerability affecting the Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg plugin for WordPress, in all versions up to and including 1.6.0. The issue stems from a lack of sanitization on an imported JSON file in the 'write_config' function within the plugin's icon-manager component, classified under CWE-94 (Code Injection). It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.

Authenticated attackers with Administrator-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting a malicious JSON file and importing it via the plugin's functionality, they can achieve arbitrary code execution on the affected WordPress server, potentially leading to full server compromise.

References from the WordPress plugin trac repository highlight vulnerable code locations in icon-manager.php at lines 249, 333, and 388 in version 1.5.7, along with a patch applied in changeset 3231327 to the trunk. Wordfence's threat intelligence advisory (ID 643b8b82-c4e1-4b81-a7e0-aee0f9270702) documents the issue, recommending updates to patched versions beyond 1.6.0 for mitigation.

Details

CWE(s)
CWE-94

Affected Products

visualmodo
borderless
≤ 1.5.9

CVEs Like This One

CVE-2026-25001Shared CWE-94
CVE-2026-32573Shared CWE-94
CVE-2025-25943Shared CWE-94
CVE-2025-67113Shared CWE-94
CVE-2025-22906Shared CWE-94
CVE-2025-63421Shared CWE-94
CVE-2025-23209Shared CWE-94
CVE-2026-39440Shared CWE-94
CVE-2026-42238Shared CWE-94
CVE-2026-32276Shared CWE-94

References