CVE-2024-3249

Name of the Vulnerable Software and Affected Versions Zita Elementor Site Library plugin for WordPress versions up to, and including, 1.6.2

Description The issue allows authenticated attackers with subscriber-level access and above to modify data without proper authorization due to a missing capability check on several functions, including import xml data, xml data import, import option data, import widgets, and import customizer settings. This enables attackers to create pages, update certain options such as WooCommerce page titles and Elementor settings, import widgets, and update the plugin's customizer settings and the WordPress custom CSS.

Recommendations For versions up to, and including, 1.6.2, consider updating to a version where this vulnerability is fully fixed, as version 1.6.2 only partially addresses the issue. As a temporary workaround, consider restricting access to the import xml data, xml data import, import option data, import widgets, and import customizer settings functions until a fully patched version is available.