What the vulnerability does
01Description
Unrestricted Upload of File with Dangerous Type vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Upload a Web Shell to a Web Server.This issue affects Xpro Elementor Addons: from n/a through <= 1.4.19.1.
Explanation of Vulnerability in Simple Terms
02Summary
Xpro Elementor Addons versions up to 1.4.19.1 allow authenticated administrators to upload files without proper validation. An attacker with admin privileges can upload malicious files to compromise the site. The vulnerability affects confidentiality, integrity, and availability of the WordPress installation.
What an attacker can do
03Attacker Capabilities
Upload malicious files to the site and execute code with full site privileges.
Potential impact on your site
04Site Impact
A compromised admin account can upload files to take over your entire WordPress installation.
Conditions required to exploit
05Prerequisites
Attacker must have administrator-level access to the WordPress site.
Key dates
06Disclosure timeline
January 22, 2026
CVE published
April 28, 2026
Record updated