CVE-2024-9025

Name of the Vulnerable Software and Affected Versions: The Sight – Professional Image Gallery and Portfolio plugin for WordPress versions up to, and including, 1.1.2

Description: The issue is related to unauthorized access of data due to a missing capability check on the handler post title function. This allows unauthenticated attackers to expose private, pending, trashed, and draft post titles. Successful exploitation requires the Elementor plugin to be installed and activated.

Recommendations: For versions up to, and including, 1.1.2, update to a version that includes a fix for the missing capability check on the handler post title function. As a temporary workaround, consider disabling the handler post title function until a patch is available. Restrict access to private, pending, trashed, and draft post titles to minimize the risk of exploitation.