WordPress Plugin Vulnerabilities

Essential Real Estate < 5.1.7 - Missing Authorization to Authenticated (Contributor+) Information Exposure

Description

The Essential Real Estate plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on several pages/post types in all versions up to, and including, 5.1.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to access invoices and transaction logs

Affects Plugins

Plugin icon
essential-real-estate
Fixed in 5.1.7

References

CVE
CVE-2024-12329
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/fa5b1bf3-344e-4ae6-87b9-2dcaafd417a5

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Noah Stead (TurtleBurg)
Verified
No
WPVDB ID
00229a17-7b24-44df-8c46-fadebd315e44

Timeline

Publicly Published
2024-12-11 (about 1 year ago)
Added
2024-12-11 (about 1 year ago)
Last Updated
2024-12-12 (about 1 year ago)

Other

Published
Title
Published
2024-03-12
Title
Post Grid Combo – 36+ Gutenberg Blocks < 2.2.69 - Information Exposure via get_posts API Endpoint
Published
2024-10-14
Title
Elementor < 3.24.6 - Contributor+ Information Exposure via get_image_alt
Published
2025-12-31
Title
Varnish/Nginx Proxy Caching <= 1.8.3 - Unauthenticated Information Exposure
Published
2023-11-28
Title
BigCommerce <= 5.1.2 - Unauthenticated Sensitive Information Exposure
Published
2022-01-03
Title
Document Embedder < 1.7.9 - Subscriber+ Arbitrary Private/Draft Post Title Disclosure