CVE-2024-8978

Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders <= 6.0.9 - Authenticated (Contributor+) Sensitive Information Exposure

Severity Score

5.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.9 via the 'init_content_register_user_email_controls' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including usernames and passwords of any users who register via the Login | Register Form widget, as long as that user opens the email notification for successful registration.

Los complementos Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders para WordPress son vulnerables a la exposición de información confidencial en todas las versiones hasta la 6.0.9 incluida a través de la función 'init_content_register_user_email_controls'. Esto hace posible que los atacantes autenticados, con acceso de nivel de colaborador y superior, extraigan datos confidenciales, incluidos los nombres de usuario y las contraseñas de cualquier usuario que se registre a través del widget Formulario de inicio de sesión | Registro, siempre que ese usuario abra la notificación por correo electrónico para el registro exitoso.

*Credits: wesley

CVSS Scores

Wordfencev3.1 5.7

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-09-18 CVE Reserved
2024-11-14 CVE Published
2024-11-15 CVE Updated
2024-11-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (3)

URL	Tag	Source
https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Elements/Login_Register.php#L2220
https://plugins.trac.wordpress.org/changeset/3188634
https://www.wordfence.com/threat-intel/vulnerabilities/id/baae8fb9-b87c-4f61-88da-871c4c83615b?source=cve

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Wpdevteam Search vendor "Wpdevteam"		Essential Addons For Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders Search vendor "Wpdevteam" for product "Essential Addons For Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders"				<= 6.0.9 Search vendor "Wpdevteam" for product "Essential Addons For Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders" and version " <= 6.0.9"		en		Affected