CVE-2024-13353

CVE-2024-13353 is a Local File Inclusion (LFI) vulnerability in the Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates plugin for WordPress, affecting all versions up to and including 1.6.4. The flaw resides in several widgets, enabling the inclusion and execution of arbitrary files on the server. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).

Authenticated attackers with Contributor-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By targeting the affected widgets, they can include arbitrary server files containing PHP code for execution, bypassing access controls, extracting sensitive data, or achieving remote code execution—particularly when "safe" file types like images with embedded PHP are uploadable and subsequently included.

WordPress plugin trac references detail patches applied in version 1.6.5 via changeset 3226779, specifically addressing vulnerable code in files such as class-responsive-addons-for-elementor-product-carousel.php (line 3151 in trunk) and class-responsive-addons-for-elementor-woo-products.php (line 3725 in trunk). Wordfence's threat intelligence advisory confirms the issue and recommends updating to the patched version for mitigation.