CVE-2024-10794

Name of the Vulnerable Software and Affected Versions Boostify Header Footer Builder for Elementor plugin for WordPress versions up to, and including, 1.3.6

Description The issue is related to Information Exposure, where authenticated attackers with Contributor-level access and above can extract data from private or draft posts created via Elementor that they should not have access to. This is possible due to insufficient restrictions on which posts can be included via the bhf shortcode.

Recommendations For versions up to, and including, 1.3.6, update to the latest version to mitigate risks. As a temporary workaround, consider restricting access to the bhf shortcode until a patch is available. Restrict Contributor-level access and above to minimize the risk of exploitation.