RomethemeKit For Elementor < 1.5.3 – Contributor+ Sensitive Information Exposure via Elementor Templates | CVE 2024-10324 | Plugin Vulnerabilities

Description

The RomethemeKit For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.5.2 via the register_controls function in widgets/offcanvas-rometheme.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.

Affects Plugins

rometheme-for-elementor

Fixed in 1.5.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/cd726b20-75c9-408e-86fc-061db591a9db

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Ankit Patel

Verified

No

WPVDB ID

880a5873-189f-411f-93cf-b44c980855bd

Timeline

Publicly Published

2025-01-23 (about 1 year ago)

Added

2025-01-27 (about 1 year ago)

Last Updated

2025-01-27 (about 1 year ago)

Other

Published

Title

Published

2024-07-09

Title

SmartCrawl WordPress SEO checker, SEO analyzer, SEO optimizer < 3.10.9 - Unauthenticated Full Path Disclosure

Published

2026-03-27

Title

Ninja Forms < 3.14.2 - Contributor+ Sensitive Information Disclosure via Block Editor Token

Published

2021-04-15

Title

WordPress 4.7-5.7 - Authenticated Password Protected Pages Exposure

Published

2025-11-09

Title

Follow My Blog Post < 2.4.0 - Unauthenticated Information Exposure

Published

2024-02-02

Title

WP Visitor Statistics (Real Time Traffic) < 6.9.5 - Sensitive Information Exposure via Log File