CVE-2024-2203 in Plus Addons for Elementor Plugin
Summary
by MITRE • 03/27/2024
The The Plus Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.4.1 via the Clients widget. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/13/2026
The vulnerability identified as CVE-2024-2203 affects the Plus Addons for Elementor plugin, a popular WordPress extension that enhances the functionality of the Elementor page builder. This plugin has been widely adopted by web developers and content creators who rely on its extensive collection of widgets and features to build dynamic websites. The vulnerability exists specifically within the Clients widget functionality, which is designed to display client logos or testimonials on websites. The issue manifests as a Local File Inclusion (LFI) flaw that has been present in all versions up to and including 5.4.1, making it a critical concern for WordPress administrators who have deployed this plugin on their sites.
The technical exploitation of this vulnerability occurs through authenticated attack vectors where threat actors with contributor-level access or higher can manipulate the Clients widget to include arbitrary files from the server filesystem. This LFI vulnerability falls under CWE-22, which specifically addresses improper limitation of a pathname to a restricted directory, commonly known as path traversal attacks. The flaw allows attackers to bypass normal access controls by leveraging the plugin's file inclusion mechanism, enabling them to execute PHP code contained within the included files. This creates a severe privilege escalation scenario where attackers can leverage their limited contributor access to achieve full server compromise.
The operational impact of CVE-2024-2203 extends beyond simple code execution capabilities, as it provides attackers with the ability to bypass access controls and obtain sensitive data from the affected WordPress installation. When combined with the ability to upload images and other "safe" file types, attackers can upload malicious files with specific extensions that will be processed by the vulnerable Clients widget. This creates a dangerous exploitation chain where threat actors can upload PHP webshells or other malicious code, then use the LFI vulnerability to include and execute these files. The vulnerability also aligns with ATT&CK technique T1059.007, which covers the execution of code through PHP, and T1566.002, which involves social engineering through the exploitation of web applications.
Mitigation strategies for this vulnerability require immediate action from WordPress administrators who have deployed the Plus Addons for Elementor plugin. The primary recommendation is to update to the latest version of the plugin where the LFI vulnerability has been patched. However, in cases where immediate updates are not feasible, administrators should implement additional security measures such as restricting contributor-level access to only essential functionality, implementing proper input validation on all user-supplied data, and monitoring file upload directories for suspicious activity. The vulnerability also highlights the importance of following security best practices including principle of least privilege, regular security audits, and maintaining up-to-date security tooling. Organizations should also consider implementing web application firewalls and intrusion detection systems to monitor for exploitation attempts targeting known vulnerabilities like this LFI flaw.