Unauthorized Modification of Data Leads to Denial of Service in Sky Addons for Elementor
CVE-2024-11104

8.1HIGH

Key Information:

Vendor: Wordpress
Status: Sky Addons For Elementor (free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery)
Vendor: CVE Published:; 22 November 2024

Summary

The Sky Addons for Elementor plugin offers a range of features for enhancing WordPress sites, but it presents a security weakness that allows for unauthorized data modifications. This vulnerability stems from a lack of capability checks in the save_options() function, affecting all versions up to 2.6.2. Authenticated attackers, even those with subscriber-level access, can exploit this flaw to alter arbitrary options that can be saved as arrays. This leads to potential denial of service for the affected WordPress installations, compromising their functionality and security.

Affected Version(s)

Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery) * <= 2.6.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/sky-elementor-...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 22, 2024
Vulnerability Reserved
Nov 11, 2024

Credit

Dale Mavers