Cross-Site Request Forgery Vulnerability in Sky Addons for Elementor
CVE-2024-11601

8.1HIGH

Key Information:

Vendor: Wordpress
Status: Sky Addons For Elementor (free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery)
Vendor: CVE Published:; 22 November 2024

Summary

The Sky Addons for Elementor plugin for WordPress is prone to a Cross-Site Request Forgery vulnerability affecting all versions up to and including 2.6.1. This flaw arises from inadequate nonce validation within the save_options() function, which could allow an unauthenticated attacker to change arbitrary option values on a WordPress site through a malicious request. The attacker must trick a site administrator into clicking a link, thus enabling the execution of unauthorized actions. The vulnerability specifically impacts option values that can be saved as arrays.

Affected Version(s)

Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery) * <= 2.6.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/sky-elementor-...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Nov 22, 2024
Vulnerability Reserved
Nov 21, 2024

Credit

Dale Mavers