CVE-2024-0835: 
WordPress vulnerability analysis and mitigation

The Royal Elementor Kit theme for WordPress (CVE-2024-0835) contains a vulnerability related to unauthorized arbitrary transient updates, discovered and disclosed on February 5, 2024. This security flaw affects all versions up to and including 1.0.116 of the theme. The vulnerability stems from a missing capability check in the dismissed_handler function (NVD, WPScan).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 base score of 4.3 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, and required low privileges. The security flaw specifically allows authenticated attackers with subscriber access or higher to update arbitrary transients, though these updates are limited to boolean 'true' values only (Wordfence).

The vulnerability allows authenticated attackers with subscriber-level access or higher to perform unauthorized transient updates in the WordPress database. While the impact is somewhat limited since attackers can only set transient values to 'true', this could potentially affect site functionality or user experience depending on how the theme utilizes these transient values (NVD).

The vulnerability has been patched in version 1.0.117 of the Royal Elementor Kit theme. Users are advised to update to this version or later to protect against potential exploitation (WPScan).