WordPress Plugin Vulnerabilities

Elementor Addon Elements < 1.14 - Contributor+ Sensitive Information Disclosure

Description

The plugin is vulnerable to Sensitive Information Exposure via the 'render' function in modules/modal-popup/widgets/modal-popup.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, scheduled, and draft template data.

Affects Plugins

Plugin icon
addon-elements-for-elementor-page-builder
Fixed in 1.14

References

CVE
CVE-2024-13215
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/4feacb75-0533-4f53-8ce9-3e45ee8336e2

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
2.7 (low)

Miscellaneous

Original Researcher
Ankit Patel
Verified
No
WPVDB ID
f14fa602-c811-46bc-a5a2-7a884a07a830

Timeline

Publicly Published
2025-01-14 (about 1 year ago)
Added
2025-01-15 (about 1 year ago)
Last Updated
2025-01-15 (about 1 year ago)

Other

Published
Title
Published
2024-10-30
Title
Woo Manage Fraud Orders <= 2.6.1 - Unauthenticated Information Exposure via Log Files
Published
2023-12-28
Title
Affiliates Manager < 2.9.31 - Sensitive Information Exposure via Log File
Published
2024-08-12
Title
Order Export for WooCommerce < 3.24 - Unauthenticated Sensitive Information Exposure
Published
2025-05-16
Title
Spotlight - Social Media Feeds (Premium) < 1.7.2 - Unauthenticated Information Exposure
Published
2023-10-11
Title
ChatBot < 4.9.1 - Unauthenticated Sensitive Data Disclosure