WordPress Plugin Vulnerabilities

Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blogs) < 2.6.2 - Cross-Site Request Forgery to Limited Arbitrary Options Update

Description

The Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.1. This is due to missing or incorrect nonce validation on the save_options() function. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Please note this is limited to option values that can be saved as arrays.

Affects Plugins

Plugin icon
sky-elementor-addons
Fixed in 2.6.2

References

CVE
CVE-2024-11601
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5b951fd9-0fbf-4576-80a9-dbb053c3da92

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
8.1 (high)

Miscellaneous

Original Researcher
vgo0
Verified
No
WPVDB ID
93ada7ce-88c1-4c49-86d5-135e166e8dad

Timeline

Publicly Published
2024-11-21 (about 1 year ago)
Added
2024-11-21 (about 1 year ago)
Last Updated
2024-11-22 (about 1 year ago)

Other

Published
Title
Published
2025-12-05
Title
Tablesome < 1.1.35.1 - Missing Authorization
Published
2024-10-30
Title
Get Quote For Woocommerce <= 1.0.0 - Unauthenticated Quote PDF and CSV Download
Published
2024-12-30
Title
Hestia Nginx Cache < 2.4.1 - Missing Authorization
Published
2024-04-30
Title
The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid < 7.7.0 - Missing Authorization
Published
2025-12-11
Title
Masker for Elementor <= 1.1.4 - Missing Authorization