WordPress Plugin Vulnerabilities

Elementor Addon Elements < 1.12.8 - Unauthenticated Post ID/Tile Disclosure

Description

The plugin does not have authorisation in its ajax_eae_post_data function, allowing unauthenticated users to retrieve arbitrary posts/pages (such as draft, private etc) IDs and tiles

Affects Plugins

Plugin icon
addon-elements-for-elementor-page-builder
Fixed in 1.12.8

References

CVE
CVE-2023-4723

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Marco Wotschka, Paolo Tresso
Verified
No
WPVDB ID
6a30528e-47d5-46b6-b553-c732cb4d255f

Timeline

Publicly Published
2023-11-15 (about 2 years ago)
Added
2023-11-16 (about 2 years ago)
Last Updated
2023-11-16 (about 2 years ago)

Other

Published
Title
Published
2024-06-11
Title
Newsletter - API v1 and v2 addon for Newsletter < 2.4.6 - Missing Authorization to Email Subscribers Management
Published
2026-02-11
Title
Exzo <= 1.2.4 - Missing Authorization
Published
2025-09-03
Title
F4 Media Taxonomies < 1.1.5 - Missing Authorization
Published
2024-04-05
Title
Masteriyo - LMS < 1.7.3 - Unauthenticated Privilege Escalation
Published
2023-11-15
Title
MP3 Audio Player for Music, Radio & Podcast by Sonaar < 4.10.1 - Missing Authorization to Template Import