CVE-2021-24948: 
WordPress vulnerability analysis and mitigation

The Plus Addons for Elementor - Pro WordPress plugin before version 5.0.7 contains a sensitive data disclosure vulnerability identified as CVE-2021-24948. The vulnerability was discovered and reported by Nicolas Vidal from TEHTRIS and was publicly disclosed on December 13, 2021. The affected software is the Plus Addons for Elementor Pro WordPress plugin (WPScan).

The vulnerability stems from improper validation of the qvquery parameter in the tpgetdlpostinfo_ajax AJAX action. This security flaw has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The vulnerability allows unauthenticated users to retrieve sensitive information from the WordPress installation, specifically including private and draft posts. This unauthorized access to protected content could potentially expose confidential or unpublished information (WPScan).

The vulnerability has been patched in version 5.0.7 of the Plus Addons for Elementor Pro plugin. Users are strongly advised to update to this version or later to protect against potential exploitation (Vendor Advisory).