CVE-2024-10670: 
WordPress vulnerability analysis and mitigation

The Primary Addon for Elementor plugin for WordPress contains an Information Exposure vulnerability (CVE-2024-10670) affecting all versions up to and including 1.6.2. The vulnerability was discovered and reported by Francesco Carlucci, with disclosure on November 27, 2024. The issue affects WordPress installations using the Primary Addon for Elementor plugin (NVD Database).

The vulnerability exists in the [prim_elementor_template] shortcode implementation, which has insufficient restrictions on post access control. The issue has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key) (NVD Database).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to extract data from private or draft posts that were created with Elementor, even if they should not have access to this content. This represents a significant information disclosure risk for sites using the affected plugin (NVD Database).

Users of the Primary Addon for Elementor plugin should update their installations to versions newer than 1.6.2 when available. Until a patch is released, site administrators should carefully review and potentially restrict Contributor-level access to minimize the risk of exploitation (NVD Database).