Unauthorized Access Vulnerability in Spexo Addons for Elementor by WordPress
CVE-2024-13335

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Spexo Addons For Elementor – Free Elementor Addons, Widgets And Templates
Vendor: CVE Published:; 24 January 2025

Summary

The Spexo Addons for Elementor plugin for WordPress is susceptible to unauthorized access as it lacks proper capability checks in the tmpcoder_theme_install_func() function. All versions up to and including 1.0.14 are affected, allowing authenticated attackers with Subscriber-level access or higher to install themes without adequate permissions. This vulnerability poses a risk to the security integrity of WordPress sites utilizing this plugin, emphasizing the need for prompt updates and security measures.

Affected Version(s)

Spexo Addons for Elementor – Free Elementor Addons, Widgets and Templates * <= 1.0.14

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3227353/sast...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 24, 2025
Vulnerability Reserved
Jan 10, 2025

Credit

Tieu Pham Trong Nhan