WordPress is one of the most widely used content management systems in the world, powering millions of sites. As a result, its ecosystem of themes and plugins is a huge target for potential vulnerabilities. In early 2024, a critical vulnerability was discovered in the popular Royal Elementor Addons and Templates plugin, exposing sensitive content to the wrong users.
In this post, we’ll break down CVE-2024-10798, show you a working proof-of-concept exploit, and explain what you need to do to keep your site secure.
What is CVE-2024-10798?
CVE-2024-10798 is an Information Exposure vulnerability affecting all versions of the Royal Elementor Addons and Templates plugin up to (and including) v1.7.1003. The flaw exists in the 'wpr-template' shortcode, where there aren’t enough checks on which posts can be included in a page. This lets authenticated users with ‘Contributor’ rights or higher extract data from private or draft posts, including sensitive content that’s not meant for them.
Why is This a Problem?
Normally, only specific users (like authors or admins) are supposed to see private or draft posts. With this plugin installed and activated, even lower privileged users (contributors) can leak protected content using a simple shortcode trick. This could expose:
Understanding the 'wpr-template' Shortcode
The core issue is the wpr-template shortcode that imports Elementor-designed templates. Because the plugin doesn’t properly restrict what post IDs can be loaded, users can point it at *any* Elementor-made template, even if it’s a private or draft post.
Here’s the syntax
[wpr-template id="POST_ID"]
Create a new post or edit one you have access to.
3. Add the following code in the post body (replace 1234 with the post ID of a private or draft Elementor template):
[wpr-template id="1234"]
Save and preview the post.
If the target post (ID 1234) is a private or draft Elementor template, its contents will be displayed on your new post, even if you don’t normally have the right to view it.
Finding Template Post IDs
If you don’t know the template post ID, you can often enumerate IDs via predictable URLs or by brute-forcing the ID numbers. For example:
https://targetsite.com/wp-admin/post.php?post=1234&action=edit
If you get a "you do not have permission" error, the post likely exists but is protected.
Technical Code Snippet
Here’s a snippet showing how an attacker can build a basic page to extract info from private/draft Elementor templates:
// As a Contributor, in the WordPress visual editor:
echo do_shortcode('[wpr-template id="1234"]');
Or with raw HTML handling, just add in the post content
[wpr-template id="1234"]
This works as long as the attacker can create or edit their own posts and as long as one can guess or enumerate the POST IDs of protected Elementor templates.
Links to Original References
- Patchstack Advisory: Royal Elementor Addons and Templates < 1.7.1004 - Sensitive Information Disclosure via wpr-template Shortcode
- Official CVE entry: CVE-2024-10798
- Wordfence Report (Archived)
What should you do?
- Update immediately: Upgrade the Royal Elementor Addons and Templates plugin to 1.7.1004 or higher, where the issue is fixed.
Conclusion
CVE-2024-10798 is a stark reminder that even simple plugin shortcodes can become a major data-leak risk if proper security checks aren’t enforced. If you use Royal Elementor Addons and Templates, update as soon as possible, and always be careful with plugin permissions!
Have any questions about this vulnerability? Let us know below! Stay safe and keep your WordPress site secure.
Timeline
Published on: 11/28/2024 10:15:05 UTC