CVE-2021-24948 The Plus Addons for Elementor Pro < 5.0.7 - Sensitive Data Disclosure

2022-01-1015:30:31

CWE-200

WPScan

www.cve.org

plus addons

elementor pro

sensitive data disclosure

wordpress plugin

unauthenticated users

ajax action

EPSS

0.002

Percentile

55.9%

JSON

The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not validate the qvquery parameter of the tp_get_dl_post_info_ajax AJAX action, which could allow unauthenticated users to retrieve sensitive information, such as private and draft posts

CNA Affected

[
  {
    "product": "The Plus Addons for Elementor - Pro",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "5.0.4*",
        "status": "affected",
        "version": "5.0.4",
        "versionType": "custom"
      },
      {
        "lessThan": "5.0.7",
        "status": "affected",
        "version": "5.0.7",
        "versionType": "custom"
      }
    ]
  }
]