Description

WordPress Plugin The Plus Addons for Elementor is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently send arbitrary reset password emails to registered users on behalf of the WordPress site. WordPress Plugin The Plus Addons for Elementor version 4.1.10 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 4.1.11 or latest

References

https://sploitus.com/exploit?id=WPEX-ID:486B82D1-30D4-44D2-9542-F33E3F149E92

https://theplusaddons.com/changelog/

Related Vulnerabilities

WordPress Plugin FAQ Multiple Cross-Site Scripting Vulnerabilities (1.0.14)

WordPress Plugin Import all XML, CSV & TXT into WordPress Cross-Site Scripting (6.4.2)

WordPress Plugin Custom Fields Search by BestWebSoft Cross-Site Scripting (1.3.1)

Squid Improper Encoding or Escaping of Output Vulnerability (CVE-2021-31806)

WordPress Plugin GTM4WP Cross-Site Scripting (1.15)

Severity

High

Classification

CVE-2021-24359 CWE-264 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Authentication Bypass