Products
ElementsKit Elementor addons plugin for WordPress
- up to 3.2.0
Source
security@wordfence.com
Tags
CVE-2024-6455 details
Published : July 18, 2024, 9:15 p.m.
Last Modified : July 18, 2024, 9:15 p.m.
Last Modified : July 18, 2024, 9:15 p.m.
Description
The ElementsKit Elementor addons plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.2.0 due to a missing capability checks on ekit_widgetarea_content function. This makes it possible for unauthenticated attackers to view any item created in Elementor, such as posts, pages and templates including drafts, pending and private items.
CVSS Score
| 1 | 2 | 3 | 4 | 5.3 | 6 | 7 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
Base Score
5.3
Exploitability Score
3.9
Impact Score
1.4
Base Severity
MEDIUM
Vector String : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
| URL | Source |
|---|---|
| https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.2.0/modules/controls/widget-area-utils.php#L15 | security@wordfence.com |
| https://www.wordfence.com/threat-intel/vulnerabilities/id/7c336530-09b2-4ead-923f-f1a6266e3e8e?source=cve | security@wordfence.com |
This website uses the NVD API, but is not approved or certified by it.