The plugin does not properly authorize requests to various ajax actions, allowing authenticated users (with roles as low as subscriber) to create header templates and make additional changes to the site using an easily available nonce value.
CPE | Name | Operator | Version |
---|---|---|---|
jeg-elementor-kit | lt | 2.5.7 |