CVE-2024-11600
Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg <= 1.6.0 - Authenticated (Administrator+) Remote Code ExecutionThe Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.6.0 via the 'write_config' function. This is due to a lack of sanitization on an imported JSON file. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.
We have discovered 215 live websites that are affected by CVE-2024-11600.
Affected Software
| Product |  Borderless |
| Category | Wordpress Plugins |
| Vulnerable Domains | 215 live websites (22% of Borderless install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 23 versions ( 72% of all versions) |
Common Weakness Enumeration
CWE-94 Improper Control of Generation of Code ('Code Injection')Details
- Published - Jan 30, 2025
- Updated - Apr 8, 2026
Credits
- anhchangmutrang (finder)
- Trương Hữu Phúc (truonghuuphuc) (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2024-11600 United States | 57 websites |
 Switzerland | 20 websites |
 GB | 16 websites |
 Germany | 12 websites |
 France | 12 websites |
 Netherlands | 10 websites |
 Austria | 6 websites |
 Indonesia | 6 websites |
 India | 6 websites |
 Brazil | 5 websites |
Website Distribution by TLD
Number of websites using CVE-2024-11600| .com | 72 websites |
| .org | 20 websites |
| .ch | 19 websites |
| .co.uk | 11 websites |
| .nl | 8 websites |
| .com.br | 6 websites |
| .it | 6 websites |
| .fr | 6 websites |
| .at | 5 websites |
| .com.au | 5 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-11600
Top websites that are affected by CVE-2024-11600. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *******.com | Indonesia | ***,*** | |
| ***************.fr | France | *,***,*** | |
| **********.com | United States | *,***,*** | |
| ********.org | United States | *,***,*** | |
| *******.com | Germany | *,***,*** | |
| ********.******.org | United States | *,***,*** | |
| ****.ad | France | *,***,*** | |
| **********.org | United States | *,***,*** | |
| ****.***.au | United States | *,***,*** | |
| ********.nl | Netherlands | *,***,*** |
FAQ
CVE-2024-11600 is Improper Control of Generation of Code ('Code Injection') in Borderless
A total of 215 websites have been identified as vulnerable to CVE-2024-11600, based on global website indexing conducted by WebTechSurvey.
The Borderless is affected by the CVE-2024-11600 vulnerability.
Borderless versions up to and including 1.6 are vulnerable to CVE-2024-11600.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/643b8b82-c4e1-4b81-a7e0-aee0f9270702?source=cve
- https://plugins.trac.wordpress.org/browser/borderless/tags/1.5.7/includes/icon-manager/icon-manager.php#L249
- https://plugins.trac.wordpress.org/browser/borderless/tags/1.5.7/includes/icon-manager/icon-manager.php#L333
- https://plugins.trac.wordpress.org/browser/borderless/tags/1.5.7/includes/icon-manager/icon-manager.php#L388
- https://plugins.trac.wordpress.org/changeset/3231327/borderless/trunk?contextall=1&old=3230461&old_path=%2Fborderless%2Ftrunk