CVE-2024-10795: 
WordPress vulnerability analysis and mitigation

The Popularis Extra plugin for WordPress contains an Information Exposure vulnerability (CVE-2024-10795) affecting all versions up to and including 1.2.7. The vulnerability was discovered and disclosed on November 15, 2024. The issue exists in the 'elementor-template' shortcode functionality due to insufficient restrictions on post access (NVD).

The vulnerability stems from insufficient restrictions in the 'elementor-template' shortcode implementation, which fails to properly validate access permissions for posts created with Elementor. The issue has been assigned a CVSS v3.1 base score of 4.3 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key) (NVD).

This vulnerability allows authenticated attackers with Contributor-level access or higher to extract data from private or draft posts that were created using Elementor, even when they should not have permission to access such content (NVD).

The vulnerability has been patched in version 1.2.8 of the Popularis Extra plugin. The update includes security improvements and adds a check for post status before allowing access to content (WordPress Changelog).