WordPress Plugin Vulnerabilities

Element Pack Elementor Addons < 5.4.12 - Missing Authorization via bdt_duplicate_as_draft

Description

The Element Pack Elementor Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'bdt_duplicate_as_draft' function in versions up to, and including, 5.4.11. This makes it possible for authenticated attackers, with contributor-level access and above, to duplicate other user's posts and set their user as the author of the duplicated post.

Affects Plugins

Plugin icon
bdthemes-element-pack-lite
Fixed in 5.4.12

References

CVE
CVE-2024-24840
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/164a1e09-e967-450c-8938-84c18ebf267d

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abu Hurayra (HurayraIIT)
Verified
No
WPVDB ID
8f1de960-73da-414a-ad72-09c14366b8e2

Timeline

Publicly Published
2024-02-02 (about 2 years ago)
Added
2024-02-09 (about 2 years ago)
Last Updated
2024-02-09 (about 2 years ago)

Other

Published
Title
Published
2024-02-22
Title
Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio <= 3.6.4 - Missing Authorization
Published
2025-10-12
Title
Masterstudy < 4.8.122 - Missing Authorization
Published
2025-11-20
Title
Checkbox < 2.8.11 - Missing Authorization to Unauthenticated Log Clearing
Published
2025-06-09
Title
Membership For WooCommerce < 2.8.2 - Missing Authorization
Published
2026-03-11
Title
Advanced Product Fields (Product Addons) for WooCommerce < 1.6.19 - Missing Authorization