What is the CVSS score of CVE-2024-13808?

CVE-2024-13808 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 1.9%.

Which versions of PHP are affected by CVE-2024-13808?

Organizations using for WordPress is vulnerable to Remote Code Execution in all face significant risk from CVE-2024-13808, a code injection vulnerability rated CVSS 8.8.

How to fix or mitigate CVE-2024-13808?

Within 7 days: Identify all affected systems running for WordPress is vulnerable to Remote Code Execution in all and apply vendor patches promptly. Validate that input sanitization is in place for all user-controlled parameters.

PHP CVE-2024-13808

HIGH

Code Injection (CWE-94)

2025-04-26 security@wordfence.com

RCE WordPress PHP Code Injection Xpro Addons For Elementor Elementor

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:38 vuln.today

CVE Published

Apr 26, 2025 - 05:15 nvd

HIGH 8.8

DescriptionCVE.org

The Xpro Elementor Addons - Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.4.9 via the custom PHP widget. This is due to their only being client side controls when determining who can access the widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

AnalysisAI

The Xpro Elementor Addons - Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.4.9 via the custom PHP widget. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Code Injection (CWE-94), which allows attackers to inject and execute arbitrary code within the application. The Xpro Elementor Addons - Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.4.9 via the custom PHP widget. This is due to their only being client side controls when determining who can access the widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. Affected products include: Wpxpro Xpro Addons For Elementor.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Never evaluate user-controlled input as code. Use sandboxing, disable dangerous functions, apply strict input validation.

More from same product – last 7 days

CVE-2026-55692 HIGH This Week POC

7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi

CVE-2026-9815 MEDIUM This Month POC

6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co

CVE-2026-48908 CRITICAL Act Now

10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL Act Now

10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve

CVE-2025-69108 CRITICAL Act Now

9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

CVE-2024-13808 vulnerability details – vuln.today

Back

PHP CVE-2024-13808

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code