Piotnet Addons For Elementor < 2.4.33 – Authenticated (Contributor+) Post Disclosure | CVE 2024-10775 | Plugin Vulnerabilities

Description

The Piotnet Addons For Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.4.32 via the 'pafe-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to.

Affects Plugins

piotnet-addons-for-elementor

Fixed in 2.4.33

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/5fdbc9bc-70cf-4440-b12d-dd98844d33bc

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

17bde01d-70e6-4685-a28e-6dcebb471475

Timeline

Publicly Published

2025-01-14 (about 1 year ago)

Added

2025-01-14 (about 1 year ago)

Last Updated

2025-01-15 (about 1 year ago)

Other

Published

Title

Published

2026-02-11

Title

Cnvrse < 026.02.10.20 - Unauthenticated Insecure Direct Object Reference

Published

2025-03-24

Title

User Registration & Membership (Free < 4.1.2, Pro < 5.1.2) - Unauthenticated Privilege Escalation

Published

2025-02-17

Title

ProfileGrid – User Profiles, Groups and Communities < 5.9.4.3 - Insecure Direct Object Reference to Authenticated (Subscriber+) Private Messages Disclosure

Published

2024-05-15

Title

BuddyBoss Platform < 2.6.0 - Subscriber+ Comment on Private Post via IDOR

Published

2023-12-06

Title

Royal Elementor Addons and Templates < 1.3.81 - Unauthenticated Arbitrary Post Read