CVE-2024-13808 is a remote code execution (RCE) vulnerability in the WPXpro Xpro Elementor Addons - Pro WordPress plugin, affecting all versions up to and including 1.4.9. The vulnerability stems from improper control over code generation (CWE-94) within the plugin's custom PHP widget. Specifically, the plugin relies solely on client-side controls to determine who can access and use this widget, which is insufficient for security. As a result, authenticated attackers with Contributor-level access or higher can bypass these controls and inject arbitrary PHP code that executes on the server. This bypass enables attackers to fully compromise the affected WordPress site, potentially leading to data theft, site defacement, or use of the server for further attacks. The vulnerability does not require user interaction and can be exploited remotely over the network. The CVSS 3.1 base score of 8.8 reflects its high impact on confidentiality, integrity, and availability, with low attack complexity and only requiring low privileges (authenticated contributor). No patches or fixes are currently linked, and no known exploits have been observed in the wild as of the publication date. Given the widespread use of Elementor and its addons in WordPress sites, this vulnerability poses a significant risk to many websites that have installed this plugin.

The impact of CVE-2024-13808 is severe for organizations running WordPress sites with the vulnerable Xpro Elementor Addons - Pro plugin. Successful exploitation allows attackers to execute arbitrary PHP code on the web server, leading to full system compromise. This can result in unauthorized data access or exfiltration, defacement or destruction of website content, installation of backdoors or malware, and use of the compromised server as a pivot point for further attacks within the network. The vulnerability affects the confidentiality, integrity, and availability of the affected systems. Since Contributor-level access is sufficient, attackers who gain relatively low privileges (e.g., through weak credentials or social engineering) can escalate to full server compromise. This threat is particularly critical for organizations relying on WordPress for business-critical websites, e-commerce, or customer data management. The lack of user interaction and low complexity of exploitation increase the likelihood of attacks once the vulnerability is known. The absence of known exploits in the wild currently provides a small window for remediation before widespread exploitation occurs.

To mitigate CVE-2024-13808, organizations should immediately assess whether they use the WPXpro Xpro Elementor Addons - Pro plugin and identify the installed version. Since no official patches are currently linked, administrators should consider the following specific actions: 1) Disable or remove the vulnerable plugin entirely until a secure update is released. 2) Restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of insider threats or compromised accounts. 3) Implement web application firewall (WAF) rules to detect and block suspicious requests targeting the custom PHP widget endpoints. 4) Monitor server and application logs for unusual PHP execution or privilege escalation attempts. 5) Harden WordPress installations by enforcing strong authentication, limiting plugin installations, and regularly auditing user roles. 6) Stay updated with vendor announcements for patches or security advisories and apply updates promptly once available. 7) Consider isolating WordPress instances in segmented network zones to limit lateral movement if compromise occurs. These targeted mitigations go beyond generic advice by focusing on the specific attack vector and privilege requirements of this vulnerability.