Hash Elements < 1.4.8 – Missing Authorization to Unauthenticated Draft Post Title Exposure | CVE 2024-10802 | Plugin Vulnerabilities

Description

The Hash Elements plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the hash_elements_get_posts_title_by_id() function in all versions up to, and including, 1.4.7. This makes it possible for unauthenticated attackers to retrieve draft post titles that should not be accessible to unauthenticated users.

Affects Plugins

Fixed in 1.4.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/010590bc-98fb-4afe-9c5e-80ad4c50a34e

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

cc6d9a77-7245-40da-a133-6136676eca0e

Timeline

Publicly Published

2024-11-12 (about 1 year ago)

Added

2024-11-12 (about 1 year ago)

Last Updated

2024-11-13 (about 1 year ago)

Other

Published

Title

Published

2022-05-02

Title

Breeze < 2.0.3 - Subscriber+ Arbitrary Settings Update to Stored XSS

Published

2024-08-28

Title

MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar < 5.7.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Deletion

Published

2026-02-18

Title

SMS Alert Order Notifications < 3.9.1 - Missing Authorization

Published

2025-12-20

Title

Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX < 5.0.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure

Published

2025-01-06

Title

Export Import Menus < 1.9.2 - Missing Authorization to Unauthenticated Menu Export