Insecure Direct Object Reference in Education Addon for Elementor Plugin by WordPress
CVE-2024-13854

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Education Addon For Elementor
Vendor: CVE Published:; 19 February 2025

Summary

The Education Addon for Elementor plugin for WordPress is susceptible to Insecure Direct Object Reference vulnerabilities. This flaw exists in all versions up to and including 1.3.1 and arises from insufficient validation of a user-controlled key within the naedu_elementor_template shortcode. Authenticated attackers with Contributor-level access and above can exploit this weakness to gain unauthorized access to non-public post content, including drafts and password-protected entries. This vulnerability highlights the importance of proper validation protocols to prevent information disclosure in web applications.

Affected Version(s)

Education Addon for Elementor * <= 1.3.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/education-addon/#developers

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 19, 2025
Vulnerability Reserved
Feb 10, 2025

Credit

Francesco Carlucci