WordPress Plugin Vulnerabilities

Elements kit Elementor addons < 3.2.0 - Missing Authorization

Description

The Elements kit Elementor addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the get_content_editor() function in versions up to, and including, 3.1.4. This makes it possible for unauthenticated attackers to update post data.

Affects Plugins

Plugin icon
elementskit-lite
Fixed in 3.2.0

References

CVE
CVE-2024-37255
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a1cf8b8f-bf74-444c-88cc-cc836ee45f26

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
b47ac535-9793-4ffb-85d7-1c801f5c06a4

Timeline

Publicly Published
2024-06-27 (about 1 year ago)
Added
2024-07-03 (about 1 year ago)
Last Updated
2024-07-03 (about 1 year ago)

Other

Published
Title
Published
2024-01-24
Title
Views for WPForms < 3.2.3 - Cross-Site Request Forgery via create_view
Published
2018-12-04
Title
JobCareer < 2.4.1 - User enumeration & Reset password
Published
2021-01-28
Title
uListing < 1.7 - Unauthenticated Arbitrary Roles and Capabilities Creation/Deletion
Published
2021-11-15
Title
User Meta Shortcodes <= 0.5 - Contributor+ Unauthorized Arbitrary User Metadata Access
Published
2021-05-07
Title
Leads-5050 Visitor Insights < 1.1.0 - Unauthorised License Change