PT-2024-16557 · WordPress · The Royal Elementor Addons/Templates
Francesco Carlucci
·
Published
2024-11-28
·
Updated
2024-11-28
·
CVE-2024-10798
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
The Royal Elementor Addons and Templates plugin for WordPress versions up to, and including, 1.7.1003
Description
The issue allows authenticated attackers with Contributor-level access and above to extract data from private or draft posts created via Elementor that they should not have access to. This is due to insufficient restrictions on which posts can be included via the 'wpr-template' shortcode.
Recommendations
For versions up to, and including, 1.7.1003, consider restricting access to the 'wpr-template' shortcode until a patch is available. As a temporary workaround, limit the use of the shortcode to only necessary and trusted users to minimize the risk of exploitation.
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
The Royal Elementor Addons/Templates