CVE-2024-12116: 
WordPress vulnerability analysis and mitigation

The Unlimited Theme Addon For Elementor and WooCommerce plugin for WordPress contains an Information Exposure vulnerability (CVE-2024-12116) affecting all versions up to and including 1.2.1. The vulnerability was discovered and disclosed on January 11, 2025. The issue affects the 'uta-template' shortcode functionality within the plugin (Wordfence).

The vulnerability stems from insufficient restrictions on which posts can be included via the 'uta-template' shortcode. This security flaw allows authenticated attackers with Contributor-level access or higher to extract data from private or draft posts created with Elementor that they should not have access to. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability allows authenticated users with Contributor-level privileges to access unauthorized content, specifically private or draft posts created using Elementor. This could lead to the exposure of sensitive or unpublished information that was intended to remain private (WordPress Plugin).

Users should update to a version newer than 1.2.1 when available. Until then, site administrators should carefully review and potentially restrict Contributor access to minimize the risk of unauthorized information exposure (Wordfence).