CVE-2024-11852: 
WordPress vulnerability analysis and mitigation

The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) plugin for WordPress contains a vulnerability identified as CVE-2024-11852. The vulnerability affects all versions up to and including 5.10.12, and was disclosed on December 21, 2024. This security issue stems from a missing capability check in the get_layouts() function, which affects the plugin's template library functionality (NVD).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 Base Score of 4.3 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating that it requires network access and low privileges to exploit, with no user interaction needed. The issue specifically relates to the absence of proper capability checks in the get_layouts() function (Wordfence).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to obtain a detailed listing of layout templates. This unauthorized access to data could potentially expose sensitive template information that should be restricted to users with higher privilege levels (NVD).

A patch has been released to address this vulnerability. Users are advised to update their Element Pack Elementor Addons plugin to a version newer than 5.10.12 (WordPress Plugin).