CVE-2024-10873 in LA-Studio Element Kit for Elementor Plugin
Summary
by MITRE • 11/23/2024
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.2 via the _load_template function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/12/2025
The vulnerability identified as CVE-2024-10873 affects the LA-Studio Element Kit for Elementor WordPress plugin, representing a critical local file inclusion flaw that undermines the security posture of affected systems. This vulnerability exists within the plugin's _load_template function and impacts all versions up to and including 1.4.2, making it a persistent threat across multiple releases. The flaw specifically targets authenticated users who possess Contributor-level access or higher privileges within the WordPress environment, which significantly broadens the potential attack surface since contributors typically have the ability to create and edit posts, pages, and media files.
The technical nature of this vulnerability stems from improper input validation within the _load_template function, which fails to adequately sanitize user-supplied parameters before using them to determine file paths for inclusion. This weakness allows attackers to manipulate the file inclusion mechanism by injecting malicious file paths or references, thereby enabling arbitrary file inclusion attacks. When combined with the ability to upload files through the contributor role, attackers can upload malicious PHP files and subsequently include them through the vulnerable template loading mechanism. This creates a complete code execution pathway that bypasses normal access controls and allows for arbitrary PHP code execution within the context of the web server.
The operational impact of this vulnerability extends beyond simple code execution capabilities, as it provides attackers with the means to bypass access controls that are typically enforced by WordPress and the Elementor platform. An authenticated attacker with contributor privileges can leverage this vulnerability to access sensitive data, manipulate content, and potentially escalate privileges within the WordPress environment. The attack vector becomes particularly dangerous when considering that contributors can upload various file types including images, which can then be manipulated to include malicious code. This vulnerability essentially allows attackers to transform a limited contributor role into a full system compromise, as they can execute arbitrary PHP code and potentially gain access to database credentials, user information, and other sensitive system data.
Mitigation strategies for CVE-2024-10873 should prioritize immediate plugin updates to versions that have addressed this vulnerability, as the vendor has likely released patches to resolve the improper input validation in the _load_template function. Organizations should also implement additional security measures including restricting contributor privileges where possible, implementing strict file upload validation, and monitoring for unauthorized file uploads or template modifications. The vulnerability aligns with CWE-22, which describes improper limitation of a pathname to a restricted directory, and maps to ATT&CK technique T1059.007 for execution through PHP, demonstrating how this flaw can be exploited to achieve persistent access and maintain control over compromised systems. Regular security audits and vulnerability assessments should be conducted to identify similar issues in other plugins and themes, as this represents a common pattern in WordPress plugin vulnerabilities that can be exploited by attackers with minimal privileges.