WordPress Plugin Vulnerabilities

The Plus Addons for Elementor Page Builder Lite < 5.6.3 - Missing Authorization

Description

The The Plus Addons for Elementor Page Builder Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in the /includes/plus-options/extension/cmb2-field-ajax-search.php file in versions up to, and including, 5.6.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to search for details they shouldn't have access to.

Affects Plugins

Plugin icon
the-plus-addons-for-elementor-page-builder
Fixed in 5.6.3

References

CVE
CVE-2024-43932
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/78a5b2ab-4735-41b9-8807-8f98586cd3d7

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
049e9d1b-d982-49cd-bb9f-8a9fc4f10b71

Timeline

Publicly Published
2024-08-26 (about 1 year ago)
Added
2024-09-04 (about 1 year ago)
Last Updated
2024-09-04 (about 1 year ago)

Other

Published
Title
Published
2025-10-31
Title
Post SMTP < 3.6.1 - Account Takeover via Unauthenticated Email Log Disclosure
Published
2025-05-16
Title
Salon Booking Pro <= 10.10.2 - Missing Authorization
Published
2025-12-12
Title
Popover Windows <= 1.2 - Missing Authorization to Authenticated (Subscriber+) Popover Configuration Update via AJAX Actions
Published
2025-06-05
Title
Payment QR WooCommerce <= 1.1.6 - Missing Authorization
Published
2024-12-14
Title
Job Board Manager <= 2.1.60 - Missing Authorization