WordPress Plugin Vulnerabilities

Elementor < 3.24.6 - Contributor+ Information Exposure via get_image_alt

Description

The plugin is vulnerable to Basic Information Exposure via the get_image_alt function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract either excerpt data or titles of private or password-protected posts.

Affects Plugins

Plugin icon
elementor
Fixed in 3.24.6

References

CVE
CVE-2024-6757
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/96fa9ed7-6c13-4356-8a25-8a309be2b0e9

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
2.7 (low)

Miscellaneous

Original Researcher
stealthcopter
Verified
No
WPVDB ID
dce5ad0c-3ce9-498f-b0f7-8dfd6ee82e40

Timeline

Publicly Published
2024-10-14 (about 1 year ago)
Added
2024-10-14 (about 1 year ago)
Last Updated
2024-10-14 (about 1 year ago)

Other

Published
Title
Published
2025-02-17
Title
1 Click WordPress Migration Plugin – 100% FREE for a limited time < 2.3 - Unauthenticated Sensitive Information Exposure via Database Backup in class-ocm-backup.php
Published
2024-06-05
Title
Restrict for Elementor < 1.0.8 - Protection Mechanism Bypass
Published
2024-02-02
Title
LearnDash LMS < 4.10.2 - Sensitive Information Exposure via assignments
Published
2024-01-10
Title
WPS Hide Login < 1.9.12 - Hidden Login Page Location Disclosure
Published
2024-02-08
Title
InfiniteWP Client < 1.12.3.1 - Unauthenticated Sensitive Information Exposure