Vulnerability Description
The Plus Addons for Elementor plugin for WordPress is vulnerable to arbitrary file reads in versions up to, and including 4.1.9 (pro) and 2.0.6 (free). The plugin has a feature to add an "Info Box" to an Elementor created page. This Info Box can include an SVG image for the box. Unfortunately, the plugin used file_get_contents with no verification that the file being supplied was an SVG file, so any user with access to the Elementor page builder, such as contributors, could read arbitrary files on the WordPress installation.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Posimyth | The Plus Addons For Elementor | <= 2.0.6 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&oldThird Party Advisory
- https://www.wordfence.com/threat-intel/vulnerabilities/id/aa698e7e-b1c7-4ead-aa2
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&oldThird Party Advisory
- https://www.wordfence.com/threat-intel/vulnerabilities/id/aa698e7e-b1c7-4ead-aa2Third Party Advisory
FAQ
What is CVE-2021-4332?
CVE-2021-4332 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The Plus Addons for Elementor plugin for WordPress is vulnerable to arbitrary file reads in versions up to, and including 4.1.9 (pro) and 2.0.6 (free). The plugin has a feature to add an "Info Box" to...
How severe is CVE-2021-4332?
CVE-2021-4332 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-4332?
Check the references section above for vendor advisories and patch information. Affected products include: Posimyth The Plus Addons For Elementor.