{"id":34222,"date":"2025-05-02T14:44:21","date_gmt":"2025-05-02T14:44:21","guid":{"rendered":""},"modified":"2025-09-16T07:09:00","modified_gmt":"2025-09-16T13:09:00","slug":"cve-2024-13808-remote-code-execution-vulnerability-in-xpro-elementor-addons-pro-wordpress-plugin","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2024-13808-remote-code-execution-vulnerability-in-xpro-elementor-addons-pro-wordpress-plugin\/","title":{"rendered":"<strong>CVE-2024-13808: Remote Code Execution Vulnerability in Xpro Elementor Addons &#8211; Pro WordPress Plugin<\/strong>"},"content":{"rendered":"<p><strong>Overview<\/strong><\/p>\n<p>The CVE-2024-13808 vulnerability is a critical security flaw impacting the Xpro Elementor Addons &#8211; Pro plugin for WordPress. This vulnerability can enable attackers to remotely execute code on the server, potentially resulting in system compromise or data leakage. It specifically affects versions up to and including 1.4.9 of the plugin. The severity of this <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-3616-arbitrary-file-upload-vulnerability-in-greenshift-wordpress-plugin\/\"  data-wpil-monitor-id=\"39904\">vulnerability combined with the widespread use of the WordPress<\/a> platform makes this a substantial cybersecurity concern that warrants immediate attention from all users of the affected plugin.<\/p>\n<p><strong>Vulnerability Summary<\/strong><\/p>\n<p>CVE ID: CVE-2024-13808<br \/>\nSeverity: High (8.8\/10)<br \/>\nAttack Vector: Remote<br \/>\nPrivileges Required: Contributor level access<br \/>\nUser Interaction: Required<br \/>\nImpact: <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-32857-sql-injection-vulnerability-in-telecontrol-server-basic-leading-to-potential-system-compromise\/\"  data-wpil-monitor-id=\"39905\">Potential system<\/a> compromise or data leakage<\/p>\n<p><strong>Affected Products<\/strong><\/p><div id=\"ameeb-610427249\" class=\"ameeb-content-2 ameeb-entity-placement\"><div style=\"border-left: 4px solid #555; padding-left: 20px; margin: 48px 0; font-family: Roboto, sans-serif; color: #ffffff; line-height: 1.6; max-width: 700px;\">\r\n  <h2 style=\"margin-top: 0; font-size: 20px; font-weight: 600; display: flex; align-items: center;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"display: inline-flex; align-items: center; margin-right: 8px;\">\r\n      <img decoding=\"async\" src=\"https:\/\/www.ameeba.com\/blog\/wp-content\/uploads\/2025\/10\/Best-App-icon-Ameeba.png\" alt=\"Ameeba Chat Icon\" style=\"width: 40px; height: 40px;\" \/>\r\n    <\/a>\r\n    A new way to communicate\r\n  <\/h2>\r\n\r\n  <p style=\"margin-bottom: 12px;\">\r\n    Ameeba Chat is built on encrypted identity, not personal profiles.\r\n  <\/p>\r\n\r\n  <p style=\"margin-bottom: 16px;\">\r\n    Message, call, share files, and coordinate with identities kept separate.\r\n  <\/p>\r\n\r\n  <ul style=\"list-style: none; padding-left: 0; margin-bottom: 20px;\">\r\n    <li>\u2022 Encrypted identity<\/li>\r\n    <li>\u2022 Ameeba Chat authenticates access<\/li>\r\n    <li>\u2022 Aliases and categories<\/li>\r\n    <li>\u2022 End-to-end encrypted chat, calls, and files<\/li>\r\n    <li>\u2022 Secure notes for sensitive information<\/li>\r\n  <\/ul>\r\n\r\n  <p style=\"font-style: italic; font-weight: 600; margin-bottom: 24px;\">\r\n    Private communication, rethought.\r\n  <\/p>\r\n\r\n  <div style=\"display: flex; flex-wrap: wrap; gap: 12px;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\/download\" style=\"background-color: #ffffff; color: #000000; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Download Ameeba Chat<\/a>\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"border: 1px solid #ffffff; color: #ffffff; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Learn More<\/a>\r\n  <\/div>\r\n<\/div>\r\n<\/div>\n<p>Product | Affected Versions<\/p>\n<p>Xpro Elementor Addons &#8211; Pro <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-3520-wordpress-avatar-plugin-arbitrary-file-deletion-vulnerability\/\"  data-wpil-monitor-id=\"40749\">WordPress Plugin<\/a> | Up to and including 1.4.9<\/p>\n<p><strong>How the Exploit Works<\/strong><\/p>\n<p>The <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-1568-critical-access-control-vulnerability-in-google-chromeos\/\"  data-wpil-monitor-id=\"40083\">vulnerability exists due to inadequate security controls<\/a> on the client side in the custom PHP widget of the Xpro Elementor Addons &#8211; Pro plugin. This allows an authenticated attacker with contributor-level access or above to send a crafted request, <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-32843-sql-injection-vulnerability-in-telecontrol-server-basic-leading-to-authorization-bypass-and-data-manipulation\/\"  data-wpil-monitor-id=\"39068\">leading to arbitrary code execution on the server<\/a>. The <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-32829-sql-injection-vulnerability-in-telecontrol-server-basic\/\"  data-wpil-monitor-id=\"38724\">server then processes this injected<\/a> malicious code, potentially leading to complete system compromise.<\/p>\n<p><strong>Conceptual Example Code<\/strong><\/p><div id=\"ameeb-2096094510\" class=\"ameeb-content ameeb-entity-placement\"><div class=\"poptin-embedded\" data-id=\"f6b387694f681\"><\/div>\r\n\r\n\r\n\r\n\r\n\r\n<\/div>\n<p>An <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-3200-unauthenticated-remote-attacker-exploiting-insecure-tls-protocols\/\"  data-wpil-monitor-id=\"40763\">attacker might exploit<\/a> this vulnerability by sending a POST request to a vulnerable endpoint, containing a malicious payload. This could look something like the following:<\/p>\n<pre><code class=\"\" data-line=\"\">POST \/wp-content\/plugins\/xpro-addons-pro\/php-widget-endpoint HTTP\/1.1\nHost: target.example.com\nContent-Type: application\/php\n{ &quot;php_code&quot;: &quot;&lt;?php system(&#039;rm -rf \/&#039;); ?&gt;&quot; }<\/code><\/pre>\n<p>In this conceptual example, the attacker sends a malicious PHP code payload that, when executed, could potentially <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-3065-arbitrary-file-deletion-vulnerability-in-database-toolset-plugin\/\"  data-wpil-monitor-id=\"40230\">delete all files<\/a> in the server&#8217;s root directory.<br \/>\nPlease note that this is a conceptual example and actual exploitation may vary based on the attacker&#8217;s intent and the specific <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2022-43110-critical-unauthenticated-remote-system-configuration-vulnerability-in-voltronic-power-viewpower-powershield-netguard\/\"  data-wpil-monitor-id=\"83130\">configuration of the targeted system<\/a>.<\/p>\n<p><strong>Prevention and Mitigation<\/strong><\/p>\n<p>All users of the <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-2594-critical-vulnerability-in-user-registration-membership-wordpress-plugin\/\"  data-wpil-monitor-id=\"40468\">Xpro Elementor Addons &#8211; Pro plugin for WordPress<\/a> are strongly advised to update to the latest version of the plugin which includes a patch for this vulnerability. As a temporary mitigation, users can also deploy a Web Application Firewall (WAF) or Intrusion Detection System (IDS) that can detect and <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2023-35989-integer-overflow-vulnerability-in-gtkwave-s-lxt2-zlib-block-allocation\/\"  data-wpil-monitor-id=\"41969\">block attempts to exploit this vulnerability<\/a>. However, these should not be seen as permanent solutions, but rather as stopgaps until the patch can be applied.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview The CVE-2024-13808 vulnerability is a critical security flaw impacting the Xpro Elementor Addons &#8211; Pro plugin for WordPress. This vulnerability can enable attackers to remotely execute code on the server, potentially resulting in system compromise or data leakage. It specifically affects versions up to and including 1.4.9 of the plugin. The severity of this [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"footnotes":""},"categories":[1],"tags":[],"vendor":[],"product":[],"attack_vector":[80],"asset_type":[],"severity":[],"exploit_status":[],"class_list":["post-34222","post","type-post","status-publish","format-standard","hentry","category-uncategorized","attack_vector-rce"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/34222","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/comments?post=34222"}],"version-history":[{"count":10,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/34222\/revisions"}],"predecessor-version":[{"id":75668,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/34222\/revisions\/75668"}],"wp:attachment":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/media?parent=34222"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/categories?post=34222"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/tags?post=34222"},{"taxonomy":"vendor","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/vendor?post=34222"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/product?post=34222"},{"taxonomy":"attack_vector","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/attack_vector?post=34222"},{"taxonomy":"asset_type","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/asset_type?post=34222"},{"taxonomy":"severity","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/severity?post=34222"},{"taxonomy":"exploit_status","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/exploit_status?post=34222"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}