WordPress Plugin Vulnerabilities

ElementsReady Addons for Elementor < 6.4.9 - Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates

Description

The ElementsReady Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.4.8 in inc/Widgets/accordion/output/content.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.

Affects Plugins

Plugin icon
element-ready-lite
Fixed in 6.4.9

References

CVE
CVE-2024-10356
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b0a48c91-7e2c-4708-b5af-dfbcfea08f83

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Ankit Patel
Verified
No
WPVDB ID
9e90368e-fbdf-410d-9df3-1a6b75df508a

Timeline

Publicly Published
2024-12-16 (about 1 year ago)
Added
2024-12-17 (about 1 year ago)
Last Updated
2024-12-17 (about 1 year ago)

Other

Published
Title
Published
2023-12-13
Title
Debug Log Manager < 2.3.0 - Sensitive Logs Exposure
Published
2024-12-09
Title
Simple Restrict < 1.2.8 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Published
2025-02-25
Title
SureMembers < 1.10.7 - Sensitive Information Exposure
Published
2025-08-14
Title
B Slider - Gutenberg Slider Block for WP < 2.0.1 - Authenticated (Subscriber+) Sensitive Information Exposure
Published
2023-08-14
Title
InfiniteWP Client < 1.12.1 - Unauthenticated Sensitive Information Exposure