WordPress Plugin Vulnerabilities

Plus Addons for Elementor < 2.0.7 - Contributor+ Privilege Escalation

Description

The plugin does not ensure that users setting the default role to be used in the registration form (of the plugin) are allowed to do so, which would lead to privilege escalation once a post with the form is published (a contributor would need to have the post approved, while author and above can publish the post by themselves)

Affects Plugins

Plugin icon
the-plus-addons-for-elementor-page-builder
Fixed in 2.0.7

References

CVE
CVE-2021-4331

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Chloe Chamberland
Verified
No
WPVDB ID
c973f0b3-5bf1-42e1-b08a-c4af1b79c688

Timeline

Publicly Published
2021-04-14 (about 5 years ago)
Added
2023-03-07 (about 3 years ago)
Last Updated
2023-03-07 (about 3 years ago)

Other

Published
Title
Published
2025-06-09
Title
MapSVG < 8.6.13 - Contributor+ Privilege Esclation
Published
2023-11-21
Title
UserPro < 5.1.5 - Authenticated (Subscriber+) Privilege Escalation
Published
2024-10-15
Title
AppPresser < 4.4.5 - Privilege Escalation and Account Takeover via Weak OTP
Published
2016-06-06
Title
OneLogin SAML SSO < 2.2.0 - Provisioned User Hardcoded Password
Published
2024-07-04
Title
Book Your Travel < 8.18.19 - Authenticated (Subscriber+) Privilege Escalation