CVE-2021-24948

Name of the Vulnerable Software and Affected Versions The Plus Addons for Elementor - Pro WordPress plugin versions prior to 5.0.7

Description The issue concerns the lack of validation for the qvquery parameter in the tp get dl post info ajax AJAX action. This could potentially allow unauthenticated users to access sensitive information, including private and draft posts.

Recommendations For versions prior to 5.0.7, update to version 5.0.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the tp get dl post info ajax AJAX action to prevent unauthenticated users from exploiting the lack of validation for the qvquery parameter.