CVE-2024-13855

Name of the Vulnerable Software and Affected Versions Prime Addons for Elementor plugin for WordPress versions up to, and including, 2.0.1

Description The issue concerns an Insecure Direct Object Reference vulnerability. This vulnerability is due to missing validation on a user-controlled key in the pae global block shortcode. As a result, authenticated attackers with Contributor-level access and above can extract information from non-public posts, including drafts, private, password-protected, and restricted posts, but only for posts created with Elementor.

Recommendations For Prime Addons for Elementor plugin for WordPress versions up to, and including, 2.0.1, consider disabling the pae global block shortcode until a patch is available to prevent exploitation. Restrict access to posts created with Elementor to minimize the risk of information extraction. Avoid using the pae global block shortcode with user-controlled input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.