WordPress Plugin Vulnerabilities

140+ Widgets | Xpro Addons For Elementor – FREE < 1.4.6.1 - Authenticated (Contributor+) Sensitive Information Exposure via Elementor Template

Description

The 140+ Widgets | Xpro Addons For Elementor – FREE plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.6 via the render function in widgets/content-toggle/layout/frontend.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.

Affects Plugins

Plugin icon
xpro-elementor-addons
Fixed in 1.4.6.1

References

CVE
CVE-2024-10319
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/382a46c2-9fec-4642-93b0-c06b9ed1c086

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Ankit Patel
Verified
No
WPVDB ID
fadbf1e2-321b-4e00-96cd-fce128200190

Timeline

Publicly Published
2024-11-04 (about 1 year ago)
Added
2024-11-04 (about 1 year ago)
Last Updated
2024-11-05 (about 1 year ago)

Other

Published
Title
Published
2023-12-01
Title
Importify < 1.0.5 - Unauthenticated Sensitive Information Exposure
Published
2024-04-05
Title
Premium Addons for Elementor < 4.10.23 - Authenticated (Contributor+) Sensitive Information Exposure
Published
2026-01-16
Title
WP Hotel Booking < 2.2.8 - Unauthenticated Sensitive Information Exposure via 'email' Parameter
Published
2024-11-19
Title
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce < 6.0.4 - Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates
Published
2025-07-21
Title
Birth Chart Compatibility <= 2.0 - Unauthenticated Full Path Exposure