WordPress Plugin Vulnerabilities

Essential Addons for Elementor < 5.9.14 - Unauthenticated Private/Draft Posts Access

Description

The plugin is vulnerable to Sensitive Information Exposure via the load_more function. This can allow unauthenticated attackers to extract sensitive data including private and draft posts.

Affects Plugins

Plugin icon
essential-addons-for-elementor-lite
Fixed in 5.9.14

References

CVE
CVE-2024-2974
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/78f96d7f-aeca-4959-9573-0fb6402de007

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Ankit Patel
Verified
No
WPVDB ID
e2aa7fa0-d9c4-4a41-9479-350ea2ba375a

Timeline

Publicly Published
2024-03-29 (about 1 months ago)
Added
2024-04-01 (about 1 months ago)
Last Updated
2024-04-01 (about 1 months ago)

Other

Published
Title
Published
2024-04-22
Title
Simply Static < 3.1.4 - Unauthenticated Information Exposure
Published
2024-04-05
Title
WordPress Backup & Migration < 1.4.8 - Unauthenticated Sensitive Information Exposure
Published
2024-03-06
Title
MasterStudy LMS WordPress Plugin – for Online Courses and Education < 3.2.11 - Basic Information Exposure via REST route
Published
2021-10-27
Title
OptinMonster < 2.6.5 - Unprotected REST-API Endpoints
Published
2024-02-20
Title
Backup Bolt < 1.4.0 - Sensitive Data Exposure