CVE-2024-10787: 
WordPress vulnerability analysis and mitigation

The LA-Studio Element Kit for Elementor plugin for WordPress contains an Information Exposure vulnerability (CVE-2024-10787) affecting all versions up to and including 1.4.4. The vulnerability was discovered and disclosed on December 4, 2024, impacting WordPress installations using the affected plugin versions (NVD CVE).

The vulnerability exists in the 'elementor-template' shortcode functionality due to insufficient restrictions on which posts can be included. The issue has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key) (NVD CVE).

This vulnerability allows authenticated attackers with Contributor-level access or higher to extract data from private and draft posts created by Elementor that they should not have access to, potentially exposing sensitive information (NVD CVE).

Users should update the LA-Studio Element Kit for Elementor plugin to a version newer than 1.4.4 when available. Until then, consider restricting Contributor access or monitoring for unauthorized access attempts to private and draft posts (NVD CVE).