PT-2025-1586 · WordPress · Romethemekit For Elementor

Ankit Patel

Published

2025-01-24

Updated

2025-02-04

CVE-2024-10324

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions RomethemeKit For Elementor plugin for WordPress versions up to, and including, 1.5.2

Description The issue allows authenticated attackers with Contributor-level access and above to extract sensitive private, pending, and draft template data through the register controls function in widgets/offcanvas-rometheme.php. This enables the exposure of sensitive information.

Recommendations For versions up to, and including, 1.5.2, consider disabling the register controls function in widgets/offcanvas-rometheme.php as a temporary workaround until a patch is available. Restrict access to the widgets/offcanvas-rometheme.php file to minimize the risk of exploitation. Avoid using the register controls function in the affected plugin until the issue is resolved.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1230

Related Identifiers

CVE-2024-10324

Affected Products

Romethemekit For Elementor

PT-2025-1586 · WordPress · Romethemekit For Elementor

CVE-2024-10324

Weakness Enumeration

Related Identifiers

Affected Products

References · 8