WordPress Plugin Vulnerabilities

Elementor Header & Footer Builder < 1.6.44 - Authenticated (Contributor+) Information Disclosure via Shortcode

Description

The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 1.6.43 via the hfe_template shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to view the contents of Draft, Private and Password-protected posts they do not own.

Affects Plugins

Plugin icon
header-footer-elementor
Fixed in 1.6.44

References

CVE
CVE-2024-10050
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/662f6ae2-2047-4bbf-b4a6-2d536051e389

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
85f19e03-9939-4f9a-8064-36103ed6dd62

Timeline

Publicly Published
2024-10-23 (about 1 year ago)
Added
2024-10-29 (about 1 year ago)
Last Updated
2024-10-29 (about 1 year ago)

Other

Published
Title
Published
2021-02-23
Title
Web-Stat < 1.4.1 - API Key Disclosure
Published
2025-01-16
Title
WPDB to Sql <= 1.2 - Unauthenticated Sensitive Information Exposure
Published
2023-11-06
Title
Restrict Content < 3.2.8 - Information Exposure via legacy log file
Published
2024-04-22
Title
Newsletters < 4.9.6 - Information Exposure via Log files
Published
2024-07-11
Title
Olive One Click Demo Import <= 1.1.2 - Unauthenticated Information Exposure