CVE-2024-11583: 
WordPress vulnerability analysis and mitigation

The Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg plugin for WordPress contains a vulnerability (CVE-2024-11583) related to unauthorized loss of data. The vulnerability affects all versions up to and including 1.5.9, and was disclosed on January 30, 2025. The issue stems from a missing capability check on the 'remove_zipped_font' function, which allows authenticated attackers with Subscriber-level access or higher to delete previously uploaded icon fonts (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The weakness has been classified as CWE-862 (Missing Authorization). The vulnerability specifically affects the icon manager component of the plugin, where the 'remove_zipped_font' function lacks proper authorization checks (Wordfence).

The vulnerability allows authenticated attackers with Subscriber-level privileges or higher to delete icon fonts that were previously uploaded to the system. This can result in unauthorized loss of data and potential disruption to the website's visual elements (NVD).

Users should upgrade to a version newer than 1.5.9 when available. No specific workarounds have been publicly documented (NVD).