WordPress Plugin Vulnerabilities

WidgetKit < 2.5.5 - Missing Authorization to Notice Dismissal

Description

The plugin is vulnerable to unauthorized modification of data due to a missing capability check on the wk_td_ads_dismiss_notice() function. This makes it possible for unauthenticated attackers to dismiss notices.

Affects Plugins

Plugin icon
widgetkit-for-elementor
Fixed in 2.5.5

References

CVE
CVE-2024-33908
URL
https://patchstack.com/database/wordpress/plugin/widgetkit-for-elementor/vulnerability/wordpress-widgetkit-plugin-2-4-8-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
0.0 (none)

Miscellaneous

Original Researcher
Dhabaleshwar Das
Verified
No
WPVDB ID
f6af3dec-6e97-4c4a-aa33-0d36f4ad3019

Timeline

Publicly Published
2024-04-29 (about 2 years ago)
Added
2024-05-07 (about 2 years ago)
Last Updated
2025-04-29 (about 1 year ago)

Other

Published
Title
Published
2022-01-24
Title
Coming soon and Maintenance mode < 3.6.7 - Subscriber+ Arbitrary Email Sending to Subscribed Users
Published
2026-01-07
Title
Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager < 3.1.6 - Missing Authorization to Authenticated (Author+) Media Replacement
Published
2025-05-16
Title
CSS3 Tooltips for WordPress < 1.9 - Missing Authorization
Published
2026-03-20
Title
Comments Import & Export < 2.5.0 - Missing Authorization
Published
2025-10-14
Title
Oceanpayment CreditCard Gateway <= 6.0 - Unauthenticated Order Status Update