Sight – Professional Image Gallery and Portfolio < 1.1.3 – Missing Authorization to Sensitive Information Exposure in handler_post_title | CVE 2024-9025 | Plugin Vulnerabilities

Description

The Sight – Professional Image Gallery and Portfolio plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'handler_post_title' function in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to expose private, pending, trashed, and draft post titles. Successful exploitation requires the Elementor plugin to be installed and activated.

Affects Plugins

Fixed in 1.1.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/f889342e-03fb-44eb-b5cb-acf115a526c3

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

2294c26c-f3c0-4d91-bfc8-ee7c23184115

Timeline

Publicly Published

2024-09-25 (about 1 year ago)

Added

2024-09-25 (about 1 year ago)

Last Updated

2024-09-26 (about 1 year ago)

Other

Published

Title

Published

2025-04-01

Title

Publitio < 2.1.9 - Missing Authorization

Published

2024-12-02

Title

Simple User Registration < 6.0 - Missing Authorization to User Deletion

Published

2025-04-01

Title

UPC/EAN/GTIN Code Generator < 2.0.3 - Missing Authorization to Authenticated (Subscriber+) Settings Update

Published

2026-05-11

Title

iPOSpays Gateways WC <= 1.3.7 - Unauthenticated Missing Authorization to Settings Update via REST API Endpoint

Published

2026-02-13

Title

CallbackKiller service widget <= 1.2 - Missing Authorization to Unauthenticated Arbitrary Plugin Settings Update