CVE-2024-10779: 
WordPress vulnerability analysis and mitigation

The Cowidgets – Elementor Addons plugin for WordPress contains an Information Exposure vulnerability (CVE-2024-10779) affecting all versions up to and including 1.2.0. The vulnerability was discovered and disclosed on November 8, 2024, leading to the plugin being closed on November 6, 2024 due to security issues (NVD, WordPress Plugin).

The vulnerability exists in the 'ce_template' shortcode functionality due to insufficient restrictions on post access control. The issue has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key) (NVD).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to extract data from private or draft posts created with Elementor that they should not have permission to access. This represents a significant information disclosure risk for sites using the affected plugin (NVD).

The plugin has been closed and is no longer available for download from the WordPress plugin repository as of November 6, 2024. Site administrators using this plugin should remove it immediately and seek alternative solutions (WordPress Plugin).

The plugin closure has resulted in significant user impact, with multiple reviews indicating issues with the plugin's functionality. Users have reported crashes and critical errors, particularly following updates, leading to operational disruptions for website owners (WordPress Plugin).