CVE-2024-6824: Premium Addons for Elementor <= 4.10.38 - Missing Authorization to Authenticated (Contributor+) Arbitrary Content Deletion and Arbitrary Title Update
First published: Thu Aug 08 2024(Updated: )
The Premium Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'check_temp_validity' and 'update_template_title' functions in all versions up to, and including, 4.10.38. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary content and update post and page titles.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Leap13 Premium Addons For Elementor | <4.10.39 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://plugins.trac.wordpress.org/browser/premium-addons-for-elementor/trunk/includes/addons-integration.php#L159
- https://plugins.trac.wordpress.org/browser/premium-addons-for-elementor/trunk/includes/addons-integration.php#L184
- https://plugins.trac.wordpress.org/changeset/3131564/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b2840b9e-1baf-460c-ba11-43e4279ece27?source=cve
- agent/weakness
- agent/references
- agent/author
- agent/description
- agent/type
- agent/title
- agent/severity
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/event
- agent/tags
- vendor/leap13
- canonical/leap13 premium addons for elementor