CVE-2024-2210 in Plus Addons for Elementor Plugin
Summary
by MITRE • 03/27/2024
The The Plus Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.4.1 via the Team Member Listing widget. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/13/2026
The vulnerability identified as CVE-2024-2210 affects the Plus Addons for Elementor WordPress plugin, specifically targeting versions up to and including 5.4.1. This represents a critical security flaw that undermines the integrity of WordPress installations using this plugin, creating a pathway for authenticated attackers to escalate their privileges and execute arbitrary code on affected servers. The vulnerability resides within the Team Member Listing widget functionality, which is commonly used to display team member information on websites built with the Elementor page builder. The security implications extend beyond simple code execution, as this flaw enables attackers to bypass access controls and potentially gain unauthorized access to sensitive system data.
The technical exploitation of this Local File Inclusion vulnerability occurs through improper input validation within the Team Member Listing widget implementation. Attackers with contributor-level access or higher can manipulate the plugin's file inclusion mechanisms to load and execute arbitrary PHP files stored on the server. This flaw operates under CWE-22, which classifies it as a path traversal vulnerability, allowing unauthorized file access through manipulation of input parameters. The vulnerability's impact is amplified because it leverages the plugin's legitimate file handling capabilities to execute malicious code, making detection more challenging for security monitoring systems. The attack vector specifically targets the plugin's handling of user-supplied parameters that should be restricted to valid file paths, but instead allow for arbitrary file inclusion.
From an operational perspective, this vulnerability creates a significant risk for WordPress administrators and website owners who rely on the Plus Addons plugin for Elementor. The requirement for contributor-level access or higher means that attackers must first compromise user accounts, but once achieved, they can execute code with the privileges of the web server process. This can lead to complete system compromise, data exfiltration, and the installation of backdoors or additional malware. The vulnerability's exploitation potential is particularly concerning because it can be used to bypass access controls that should protect sensitive system files and user data. Organizations may experience unauthorized access to server resources, including the ability to read configuration files, user databases, and other sensitive information that could be leveraged for further attacks within the network infrastructure.
The mitigation strategies for CVE-2024-2210 should prioritize immediate plugin updates to versions that address the Local File Inclusion vulnerability, as recommended by the plugin developers and security vendors. System administrators should implement strict access controls and regularly audit user permissions to minimize the risk of unauthorized account compromise. Network monitoring solutions should be configured to detect unusual file access patterns and potential exploitation attempts. Additionally, implementing web application firewalls and input validation controls can help prevent malicious parameter manipulation. The vulnerability's classification under ATT&CK technique T1059.007 (Command and Scripting Interpreter: PowerShell) highlights the importance of monitoring for PowerShell-based attacks that may exploit similar file inclusion patterns. Organizations should also conduct regular security assessments of their WordPress installations, including vulnerability scanning and penetration testing, to identify and remediate similar weaknesses in their web applications. The attack surface expansion through file inclusion vulnerabilities underscores the critical need for proper input validation and the principle of least privilege in WordPress plugin implementations.