Premium Addons for Elementor < 4.10.39 – Missing Authorization to Authenticated (Contributor+) Arbitrary Content Deletion and Arbitrary Title Update | CVE 2024-6824 | Plugin Vulnerabilities

Description

The Premium Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'check_temp_validity' and 'update_template_title' functions in all versions up to, and including, 4.10.38. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary content and update post and page titles.

Affects Plugins

premium-addons-for-elementor

Fixed in 4.10.39

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/b2840b9e-1baf-460c-ba11-43e4279ece27

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

stealthcopter

Verified

No

WPVDB ID

da8f52fc-e62d-4894-bc13-711e01b815b1

Timeline

Publicly Published

2024-08-07 (about 1 year ago)

Added

2024-08-07 (about 1 year ago)

Last Updated

2024-08-07 (about 1 year ago)

Other

Published

Title

Published

2020-10-08

Title

Dynamic Content for Elementor < 1.9.6 - Authenticated RCE

Published

2021-10-01

Title

Stripe For WooCommerce 3.0.0 - 3.3.9 - Missing Authorization Controls to Financial Account Hijacking

Published

2021-05-31

Title

The Plus Addons for Elementor Page Builder < 4.1.11 - Arbitrary Reset Pwd Email Sending

Published

2021-07-07

Title

WP Upload Restriction < 2.2.5 - Missing Access Control in deleteCustomType

Published

2019-08-09

Title

Woody Ad Snippets < 2.2.6 - Arbitrary Post Deletion