Sensitive Information Exposure in RomethemeKit For Elementor Plugin by WordPress
CVE-2024-10324

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Romethemekit For Elementor
Vendor: CVE Published:; 24 January 2025

Summary

The RomethemeKit For Elementor plugin is susceptible to sensitive information exposure due to a flaw in the register_controls function found in the widgets/offcanvas-rometheme.php file. This vulnerability affects all versions up to and including 1.5.2 and can be exploited by authenticated users with Contributor-level access or higher, allowing them to gain access to confidential data, including private, pending, and draft templates. It is crucial for users and administrators of this plugin to take immediate action to mitigate the risk of unauthorized data exposure.

Affected Version(s)

RomethemeKit For Elementor * <= 1.5.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3220079/rome...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 24, 2025
Vulnerability Reserved
Oct 23, 2024

Credit

Ankit Patel