CVE-2024-13353
Published: 21 February 2025
Summary
CVE-2024-13353 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Cyberchimps Responsive Addons For Elementor. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-13353 is a Local File Inclusion (LFI) vulnerability in the Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates plugin for WordPress, affecting all versions up to and including 1.6.4. The flaw resides in several widgets, enabling the inclusion and execution of arbitrary files on the server. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).
Authenticated attackers with Contributor-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By targeting the affected widgets, they can include arbitrary server files containing PHP code for execution, bypassing access controls, extracting sensitive data, or achieving remote code execution—particularly when "safe" file types like images with embedded PHP are uploadable and subsequently included.
WordPress plugin trac references detail patches applied in version 1.6.5 via changeset 3226779, specifically addressing vulnerable code in files such as class-responsive-addons-for-elementor-product-carousel.php (line 3151 in trunk) and class-responsive-addons-for-elementor-woo-products.php (line 3725 in trunk). Wordfence's threat intelligence advisory confirms the issue and recommends updating to the patched version for mitigation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4248
Vulnerability details
The Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.4 via several widgets. This makes it possible for authenticated attackers,…
more
with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI in public-facing WordPress plugin widgets directly enables exploitation for RCE and arbitrary file execution by authenticated network attackers.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating the known LFI flaw by patching the plugin to version 1.6.5 or later directly prevents exploitation of the vulnerable widgets.
Validating file path inputs to the affected widgets prevents path traversal attacks that enable arbitrary file inclusion and PHP code execution.
Restricting or prohibiting user installation of unapproved third-party plugins like Responsive Addons prevents deployment of the vulnerable software.