Unlimited Elements For Elementor (Free Widgets, Addons, Templates) < 1.5.110 – Authenticated (Contributor+) Information Exposure | CVE 2024-35674 | Plugin Vulnerabilities

Description

The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.5.109 due to missing restrictions on the getPostDataByObj() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to view password protected posts.

Affects Plugins

unlimited-elements-for-elementor

Fixed in 1.5.110

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/af37b5ab-e7ff-4a2a-98c3-decdf238a13f

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Khalid

Verified

No

WPVDB ID

55dfea02-97c0-4c73-86fa-e206d39eb592

Timeline

Publicly Published

2024-06-05 (about 1 year ago)

Added

2024-06-13 (about 1 year ago)

Last Updated

2024-06-13 (about 1 year ago)

Other

Published

Title

Published

2026-02-24

Title

Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty < 3.5.2 - Unauthenticated Information Exposure

Published

2025-09-22

Title

All In One SEO Pack < 4.8.7.2 - Contributor+ Sensitive Information Exposure

Published

2025-12-15

Title

Document Library Lite < 1.2.0 - Unauthenticated Insecure Direct Object Reference

Published

2024-08-09

Title

myCred < 2.7.3 - Unauthenticated Information Exposure

Published

2025-08-11

Title

Elementor < 3.30.3 - Admin+ Arbitrary File Read via Image Import