CVE-2024-13353 is a Local File Inclusion vulnerability found in the Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates plugin for WordPress, affecting all versions up to and including 1.6.4. The vulnerability stems from improper validation and control of filenames used in include or require statements within several widgets of the plugin. This flaw allows authenticated attackers with at least Contributor-level privileges to manipulate the file inclusion process, enabling them to include arbitrary files from the server. Since WordPress Contributor roles can upload certain file types such as images, attackers can upload files containing PHP code disguised as safe file types and then include and execute them via this vulnerability. This leads to remote code execution on the server, bypassing normal access controls. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement). The CVSS v3.1 base score is 8.8 (high), reflecting network attack vector, low attack complexity, required privileges (low), no user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are publicly reported yet, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors or less restrictive user role management. The lack of a patch at the time of reporting increases the urgency for mitigation.

The impact of CVE-2024-13353 is severe for organizations running WordPress sites with the affected Responsive Addons for Elementor plugin. Successful exploitation allows attackers to execute arbitrary PHP code on the web server, leading to full compromise of the affected site. This can result in unauthorized access to sensitive data, defacement, installation of backdoors or malware, and use of the compromised server as a pivot point for further attacks within the network. Since Contributor-level users can exploit this flaw, insider threats or compromised contributor accounts significantly increase risk. The vulnerability undermines the integrity and availability of the website and can damage organizational reputation, lead to data breaches, and cause operational disruptions. Given WordPress's widespread use globally, the threat has broad implications for businesses, government agencies, and other entities relying on this CMS and plugin ecosystem.

Organizations should immediately audit their WordPress installations for the presence of the Responsive Addons for Elementor plugin and verify the version in use. Until an official patch is released, consider the following mitigations: 1) Restrict user roles and permissions to minimize the number of users with Contributor-level or higher access; 2) Disable or remove the vulnerable plugin if it is not essential; 3) Implement web application firewall (WAF) rules to detect and block suspicious file inclusion attempts targeting the plugin's widgets; 4) Restrict file upload types and scan uploaded files for malicious content; 5) Monitor logs for unusual file inclusion or PHP execution patterns; 6) Employ principle of least privilege for all WordPress users; 7) Prepare for rapid patching once an official fix is available from the vendor. Additionally, consider isolating WordPress instances and backing up data regularly to enable recovery from compromise.