WordPress Plugin Vulnerabilities

Elementor Pro < 3.19.3 - Authenticated (Contributor+) Information Exposure

Description

The Elementor Website Builder Pro plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.19.2 . This makes it possible for authenticated attackers, with contributor-level access and above, to extract arbitrary user meta values.

Affects Plugins

Plugin icon
elementor-pro
Fixed in 3.19.3

References

CVE
CVE-2024-23523
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ecc8996a-d95c-4711-ac7d-523f5100c7fc

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Dynamic.ooo Team
Verified
No
WPVDB ID
52195b1a-31b9-46da-bed8-7fdd2c6c8c14

Timeline

Publicly Published
2024-02-26 (about 2 years ago)
Added
2024-03-04 (about 2 years ago)
Last Updated
2024-03-04 (about 2 years ago)

Other

Published
Title
Published
2025-04-01
Title
WP-LESS < 1.9.7 - Unauthenticated Sensitive Information Disclosure
Published
2025-04-15
Title
Macro Calculator with Admin Email Optin & Data <= 1.0 - Unauthenticated Information Disclosure
Published
2025-12-05
Title
SendPulse Email Marketing Newsletter < 2.2.2 - Authenticated (Subscriber+) Information Exposure
Published
2025-06-05
Title
Crawlomatic Multisite Scraper Post Generator < 2.6.9 - Unauthenticated Information Exposure via Log Files
Published
2025-08-28
Title
Elementor Addon Elements < 1.14.5 - Authenticated (Contributor+) Information Exposure