Sight – Professional Image Gallery and Portfolio < 1.1.3 – Missing Authorization to Sensitive Information Exposure in handler_post_title | CVE 2024-9025 | Plugin Vulnerabilities

Description

The Sight – Professional Image Gallery and Portfolio plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'handler_post_title' function in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to expose private, pending, trashed, and draft post titles. Successful exploitation requires the Elementor plugin to be installed and activated.

Affects Plugins

Fixed in 1.1.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/f889342e-03fb-44eb-b5cb-acf115a526c3

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

2294c26c-f3c0-4d91-bfc8-ee7c23184115

Timeline

Publicly Published

2024-09-25 (about 1 year ago)

Added

2024-09-25 (about 1 year ago)

Last Updated

2024-09-26 (about 1 year ago)

Other

Published

Title

Published

2023-10-25

Title

Product Recommendation Quiz for eCommerce < 2.1.2 - Missing Authorization in prq_set_token

Published

2026-02-08

Title

AI ChatBot with ChatGPT and Content Generator by AYS < 2.7.5 - Missing Authorization

Published

2024-04-11

Title

Filter Custom Fields & Taxonomies Light <= 1.05 - Missing Authorization

Published

2025-09-22

Title

Memberful < 1.76.0 - Missing Authorization

Published

2025-01-06

Title

WordPress File Upload < 4.25.0 - Missing Authorization to Authenticated (Subscriber+) Limited Path Traversal