Cyber Resilience

CVE-2024-13353

High

Published: 21 February 2025

Published
21 February 2025
Modified
25 February 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0006 20.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13353 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Cyberchimps Responsive Addons For Elementor. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-13353 is a Local File Inclusion (LFI) vulnerability in the Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates plugin for WordPress, affecting all versions up to and including 1.6.4. The flaw resides in several widgets, enabling the inclusion and execution of arbitrary files on the server. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).

Authenticated attackers with Contributor-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By targeting the affected widgets, they can include arbitrary server files containing PHP code for execution, bypassing access controls, extracting sensitive data, or achieving remote code execution—particularly when "safe" file types like images with embedded PHP are uploadable and subsequently included.

WordPress plugin trac references detail patches applied in version 1.6.5 via changeset 3226779, specifically addressing vulnerable code in files such as class-responsive-addons-for-elementor-product-carousel.php (line 3151 in trunk) and class-responsive-addons-for-elementor-woo-products.php (line 3725 in trunk). Wordfence's threat intelligence advisory confirms the issue and recommends updating to the patched version for mitigation.

EU & UK References

Vulnerability details

The Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.4 via several widgets. This makes it possible for authenticated attackers,…

more

with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

LFI in public-facing WordPress plugin widgets directly enables exploitation for RCE and arbitrary file execution by authenticated network attackers.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13792Same product class: WordPress / CMS plugin
CVE-2024-13921Same product class: WordPress / CMS plugin
CVE-2024-13694Same product class: WordPress / CMS plugin
CVE-2025-24618Same product class: WordPress / CMS plugin
CVE-2025-7360Same product class: WordPress / CMS plugin
CVE-2024-13641Same product class: WordPress / CMS plugin
CVE-2024-13831Same product class: WordPress / CMS plugin
CVE-2024-13558Same product class: WordPress / CMS plugin
CVE-2025-24596Same product class: WordPress / CMS plugin
CVE-2024-13904Same product class: WordPress / CMS plugin

Affected Assets

cyberchimps
responsive addons for elementor
≤ 1.6.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the known LFI flaw by patching the plugin to version 1.6.5 or later directly prevents exploitation of the vulnerable widgets.

prevent

Validating file path inputs to the affected widgets prevents path traversal attacks that enable arbitrary file inclusion and PHP code execution.

prevent

Restricting or prohibiting user installation of unapproved third-party plugins like Responsive Addons prevents deployment of the vulnerable software.

References