Prime Slider – Addons For Elementor < 3.11.11 – Incorrect Authorization via bdt_duplicate_as_draft | CVE 2024-24883 | Plugin Vulnerabilities

Description

The Prime Slider – Addons For Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the bdt_duplicate_as_draft() function in versions up to, and including, 3.11.10. This makes it possible for authenticated attackers, with contributor-level access and above, to duplicate posts that may be private or password protected and view the contents.

Affects Plugins

bdthemes-prime-slider-lite

Fixed in 3.11.11

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/691b7428-73e5-4800-85a1-19daa85aff4e

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Abu Hurayra (HurayraIIT)

Verified

No

WPVDB ID

213a3708-63e0-4797-b977-4ad1126daf1c

Timeline

Publicly Published

2024-02-05 (about 2 years ago)

Added

2024-02-09 (about 2 years ago)

Last Updated

2024-02-09 (about 2 years ago)

Other

Published

Title

Published

2022-03-21

Title

Salon booking system < 7.6.3 - Customer+ Bookings/Customers Data Disclosure

Published

2020-07-30

Title

JetBackup < 1.4.1 - Subscriber+ Arbitrary Backup Location Update

Published

2022-07-25

Title

Flipbox < 2.6.1 - Authenticated Arbitrary Options Update

Published

2024-01-05

Title

Icegram < 3.1.22 - Contributor+ Campaign Status Toggle / Duplication

Published

2026-02-10

Title

Page Builder Features < 3.6.0 - Contributor+ Post Publication