The Plus Addons for Elementor Pro < 5.0.7 - Sensitive Data Disclosure
CVE-2021-24948

7.5HIGH

Key Information:

Vendor: Wordpress
Status: The Plus Addons For Elementor - Pro
Vendor: CVE Published:; 10 January 2022

Summary

The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not validate the qvquery parameter of the tp_get_dl_post_info_ajax AJAX action, which could allow unauthenticated users to retrieve sensitive information, such as private and draft posts

Affected Version(s)

The Plus Addons for Elementor - Pro 5.0.4 < 5.0.4*

The Plus Addons for Elementor - Pro 5.0.7

References

https://wpscan.com/vulnerability/2b67005a-476e-4772-b15c-...

x_refsource_MISC

https://roadmap.theplusaddons.com/updates

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 10, 2022
Vulnerability Reserved
Jan 14, 2021

Credit

Nicolas Vidal from TEHTRIS