In this post, we'll discuss a recent vulnerability discovered in the Royal Elementor Addons and Templates plugin for WordPress. This popular plugin is meant to provide users with a wide range of pre-built templates and addons for the Elementor page builder. Unfortunately, all versions up to and including 1.7.1003 are vulnerable to information exposure. This vulnerability has been assigned the CVE identifier CVE-2024-10798.
The vulnerability affects the wpr-template shortcode and arises from insufficient restrictions on the posts that can be included. The shortcoming makes it possible for authenticated attackers with at least Contributor-level access to extract data from private or draft posts created via Elementor that they should not have access to.
Below, we'll dive into the specifics of the vulnerability, including a code snippet to demonstrate the exploit and links to original references.
Exploit Details
The information exposure vulnerability resides in the wpr-template shortcode, which is meant to display specified Elementor templates within a WordPress post or page. By passing an unauthorized post ID as a parameter to this shortcode, an attacker can access and disclose data from any private or draft Elementor-created post, potentially retrieving sensitive information.
For instance, let's assume we have an attacker with Contributor-level access to a WordPress site that uses the Royal Elementor Addons and Templates plugin. The attacker can craft a post that includes the following shortcode:
[wpr_template id="XXX"]
By replacing XXX with the post ID of a private or draft Elementor-created post, the attacker can display the content of that post to anyone who has access to the attacker's published post.
Here's a step-by-step guide on how the exploit works
1. The attacker identifies a private or draft post created using Elementor and obtains its ID (e.g., 12345).
2. The attacker creates a new post or edits an existing one, inserting the following shortcode: [wpr_template id="12345"]
The attacker publishes the post containing the shortcode.
4. Any user who loads the attacker's published post will see the content of the private or draft post with ID 12345.
Original References
The vulnerability was initially reported by the Wordfence Threat Intelligence team. The following links provide more information on the vulnerability and the steps taken to address it:
- Wordfence Threat Intelligence blog post
- CVE-2024-10798 entry on MITRE
- NVD - CVE-2024-10798
Conclusion and Remediation
CVE-2024-10798 is a critical information exposure vulnerability affecting the Royal Elementor Addons and Templates plugin for WordPress. It is especially crucial for site administrators to address this issue as it allows lower-level authenticated users to access and disclose sensitive data from private or draft posts created via Elementor.
To mitigate this vulnerability, users of the Royal Elementor Addons and Templates plugin are advised to update their plugin version to the latest one available, which contains a fix for this security issue. Additionally, website administrators should review user roles and permissions, ensuring that only trusted users have Contributor-level access or higher.
Timeline
Published on: 11/28/2024 10:15:05 UTC