PT-2024-17131 · WordPress · Sky Addons For Elementor

Dale Mavers

Published

2024-11-21

Updated

2024-11-22

CVE-2024-11601

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Name of the Vulnerable Software and Affected Versions The Sky Addons for Elementor plugin for WordPress versions up to, and including, 2.6.1

Description The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the save options() function. This allows unauthenticated attackers to update arbitrary options on the WordPress site via a forged request, provided they can trick a site administrator into performing an action such as clicking on a link. The impact is limited to option values that can be saved as arrays.

Recommendations For versions up to, and including, 2.6.1, update to a version that includes the fix for the missing or incorrect nonce validation on the save options() function. As a temporary workaround, consider restricting access to the save options() function until a patch is available.

Fix

Missing Authorization

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862CWE-352

Related Identifiers

CVE-2024-11601

Affected Products

Sky Addons For Elementor

PT-2024-17131 · WordPress · Sky Addons For Elementor

CVE-2024-11601

Weakness Enumeration

Related Identifiers

Affected Products

References · 9