ElementsKit Elementor addons Vulnerability – Authenticated (Contributor+) Local File Inclusion in render_raw – CVE-2024-2047 | WordPress Plugin Vulnerability Report 

Plugin Name: ElementsKit Elementor addons

Key Information:

  • Software Type: Plugin
  • Software Slug: elementskit-lite
  • Software Status: Active
  • Software Author: xpeedstudio
  • Software Downloads: 17,423,199
  • Active Installs: 1,000,000
  • Last Updated: April 1, 2024
  • Patched Versions: 3.0.7
  • Affected Versions: <= 3.0.6

Vulnerability Details:

  • Name: ElementsKit Elementor addons <= 3.0.6 Authenticated (Contributor+) Local File Inclusion in render_raw
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE: CVE-2024-2047
  • CVSS Score: 8.8
  • Publicly Published: March 29, 2024
  • Researcher: Wesley
  • Description: The ElementsKit Elementor addons plugin for WordPress is vulnerable to Local File Inclusion in versions up to and including 3.0.6 via the render_raw function. This vulnerability allows authenticated attackers, with contributor-level access or higher, to include and execute arbitrary files on the server. This can lead to bypassing access controls, obtaining sensitive data, or executing code, especially when "safe" file types like images can be uploaded and included.


The ElementsKit Elementor addons plugin for WordPress has a significant vulnerability in versions up to and including 3.0.6 that allows authenticated users with at least contributor-level access to exploit Local File Inclusion via the render_raw function. This vulnerability has been addressed and patched in version 3.0.7.

Detailed Overview:

Discovered by researcher Wesley, this vulnerability within the render_raw function of ElementsKit Elementor addons poses a serious security risk, potentially allowing attackers to include malicious PHP code on the server. This risk is exacerbated by the plugin's wide usage, with over a million active installs. The swift response by xpeedstudio to patch this in version 3.0.7 highlights the critical nature of the vulnerability.

Advice for Users:

  • Immediate Action: Users should immediately update to version 3.0.7 to mitigate the vulnerability.
  • Check for Signs of Vulnerability: Review server logs for any unusual activity or file inclusion attempts, especially from users with contributor-level access.
  • Alternate Plugins: Consider alternative plugins offering similar functionalities as a precaution, even though a patch is available.
  • Stay Updated: Regularly update all plugins to their latest versions to prevent potential vulnerabilities.


The rapid response by the ElementsKit Elementor addons' development team to fix this vulnerability underscores the necessity of keeping software up to date. To secure WordPress installations, users must ensure they are running version 3.0.7 or later of this plugin.


Detailed Report: 

In the ever-evolving digital landscape, your website stands as the digital storefront of your business, embodying its essence and values to the world. Yet, this digital embodiment is not without its vulnerabilities, as highlighted by the recent discovery of a significant security flaw in the ElementsKit Elementor addons plugin, CVE-2024-2047. This incident serves as a potent reminder of the crucial need for vigilance and the constant maintenance of your digital presence to safeguard it from potential threats.

The Plugin at the Heart of the Matter

The ElementsKit Elementor addons plugin, developed by xpeedstudio, is a cornerstone for over a million WordPress sites, enriching them with a wide array of functionalities. As of April 1, 2024, this plugin had been downloaded over 17 million times, a testament to its popularity and integral role in the WordPress ecosystem.

Unveiling the Vulnerability

CVE-2024-2047, discovered by a researcher named Wesley, is a Local File Inclusion (LFI) vulnerability present in versions of the plugin up to and including 3.0.6. This flaw allows authenticated users, with contributor-level access or higher, to inject and execute arbitrary files on the server. Such a breach could potentially lead to unauthorized access to sensitive data, disruption of website functionality, or even a full-scale compromise of the website's integrity.

The Risks and Impacts

The implications of this vulnerability cannot be overstated. For small business owners, a compromised website could mean not just a temporary setback, but a significant loss of customer trust, revenue, and the potential exposure of sensitive information. The fact that this plugin had faced seven vulnerabilities since April 13, 2021, underscores the persistent threat landscape that online assets navigate.

Steps Towards Remediation

In response to the discovery, xpeedstudio acted swiftly to release a patched version of the plugin, 3.0.7, effectively closing the door on this specific vulnerability. Users of the plugin are strongly advised to update to this latest version immediately to secure their sites. Furthermore, regular audits of server logs for unusual activities and the consideration of alternative plugins are prudent steps towards a robust defense.

A Look Back: Previous Vulnerabilities

The history of vulnerabilities in the ElementsKit Elementor addons plugin serves as a stark reminder of the ongoing battle between maintaining functionality and ensuring security. Each incident, while resolved, adds to the collective learning and the continuous improvement of security practices within the WordPress community.

The Imperative of Vigilance

For small business owners, the digital realm offers immense opportunities but also poses significant risks. The recent vulnerability in the ElementsKit Elementor addons plugin highlights the critical importance of staying abreast of security updates and vulnerabilities. In an era where time is a scarce commodity, leveraging managed WordPress hosting services, subscribing to security advisories, and partnering with cybersecurity professionals can alleviate the burden of constant vigilance, allowing you to focus on growing your business while ensuring its digital embodiment remains secure and trustworthy.

In conclusion, the digital security of your WordPress website is not just about protecting data; it's about safeguarding your business's reputation and the trust of your customers. The proactive management of vulnerabilities like CVE-2024-2047 is not just a technical necessity but a fundamental business practice in today's digital age.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

ElementsKit Elementor addons Vulnerability – Authenticated (Contributor+) Local File Inclusion in render_raw – CVE-2024-2047 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment