CVE-2024-1358
📋 TL;DR
The Elementor Addon Elements WordPress plugin has a directory traversal vulnerability in its render function. Authenticated attackers with contributor-level access or higher can exploit this to read arbitrary PHP files on the server, potentially exposing sensitive information like configuration files or credentials. This affects all versions up to and including 1.12.12.
💻 Affected Systems
- Elementor Addon Elements for WordPress
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive files like wp-config.php containing database credentials, leading to full site compromise, data theft, or server takeover.
Likely Case
Attackers with contributor access read configuration files to obtain database credentials, then escalate privileges or exfiltrate sensitive data.
If Mitigated
With proper access controls and file permissions, impact is limited to reading non-sensitive PHP files or triggering errors.
🎯 Exploit Status
Exploitation requires contributor-level access. Public proof-of-concept code is available in vulnerability reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.12.13 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3037925/addon-elements-for-elementor-page-builder/trunk/modules/shape-separator/widgets/shape-separator.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Addon Elements for Elementor'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.12.13+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the Addon Elements plugin until patched
wp plugin deactivate addon-elements-for-elementor-page-builder
Restrict contributor access
allTemporarily remove contributor role permissions or limit contributor accounts
🧯 If You Can't Patch
- Implement strict file permissions (e.g., 600 for sensitive files like wp-config.php)
- Add web application firewall rules to block directory traversal patterns
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 1.12.12 or lower, you are vulnerable.Check Version:
wp plugin get addon-elements-for-elementor-page-builder --field=versionVerify Fix Applied:
After updating, verify plugin version shows 1.12.13 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in web server logs, especially requests containing '../' sequences to PHP files
- Multiple failed attempts to access sensitive files from contributor-level accounts
Network Indicators:
- HTTP requests with directory traversal payloads (e.g., '../../wp-config.php') to the shape separator endpoint
SIEM Query:
source="web_logs" AND (uri="*../*" OR uri="*..%2f*") AND uri="*.php" AND user_agent="*WordPress*"🔗 References
- https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.12.12/modules/shape-separator/widgets/shape-separator.php#L89
- https://plugins.trac.wordpress.org/changeset/3037925/addon-elements-for-elementor-page-builder/trunk/modules/shape-separator/widgets/shape-separator.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/20cd3fff-0488-4bc2-961b-2427925e6a96?source=cve
- https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.12.12/modules/shape-separator/widgets/shape-separator.php#L89
- https://plugins.trac.wordpress.org/changeset/3037925/addon-elements-for-elementor-page-builder/trunk/modules/shape-separator/widgets/shape-separator.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/20cd3fff-0488-4bc2-961b-2427925e6a96?source=cve
