Medium severity6.5NVD Advisory· Published Mar 7, 2023· Updated Apr 8, 2026

CVE-2021-4332

Description

The Plus Addons for Elementor plugin for WordPress is vulnerable to arbitrary file reads in versions up to, and including 4.1.9 (pro) and 2.0.6 (free). The plugin has a feature to add an "Info Box" to an Elementor created page. This Info Box can include an SVG image for the box. Unfortunately, the plugin used file_get_contents with no verification that the file being supplied was an SVG file, so any user with access to the Elementor page builder, such as contributors, could read arbitrary files on the WordPress installation.

Affected products

Posimyth/The Plus Addons For Elementor2 versions
cpe:2.3:a:posimyth:the_plus_addons_for_elementor:*:*:*:*:free:wordpress:*:*+ 1 more
- cpe:2.3:a:posimyth:the_plus_addons_for_elementor:*:*:*:*:free:wordpress:*:*range: <=2.0.6
- cpe:2.3:a:posimyth:the_plus_addons_for_elementor:*:*:*:*:pro:wordpress:*:*range: <=4.1.9

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changesetnvdThird Party Advisory
www.wordfence.com/threat-intel/vulnerabilities/id/aa698e7e-b1c7-4ead-aa2e-7fbfc9dfac80nvdThird Party Advisory
www.wordfence.com/threat-intel/vulnerabilities/id/aa698e7e-b1c7-4ead-aa2e-7fbfc9dfac80nvd

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000