CVE-2024-10357: 
WordPress vulnerability analysis and mitigation

The Clever Addons for Elementor WordPress plugin (versions up to 2.2.1) contains a Sensitive Information Exposure vulnerability identified as CVE-2024-10357. The vulnerability exists in the getTemplateContent function within src/widgets/class-clever-widget-base.php. This security issue was discovered by researcher Ankit Patel and was publicly disclosed on October 25, 2024 (Wordfence Intel).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. It is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The security flaw is present in the getTemplateContent function implementation, which can be exploited by authenticated users with Contributor-level access or higher (NVD).

When exploited, this vulnerability allows authenticated attackers with Contributor-level privileges or higher to extract sensitive private, pending, and draft template data from the WordPress installation. This could lead to unauthorized access to confidential template information that should not be accessible to users with lower privilege levels (NVD).

Users should update their Clever Addons for Elementor plugin to a version newer than 2.2.1 if available. Until an update is applied, site administrators should carefully review and potentially restrict Contributor-level access to minimize the risk of exploitation (NVD).