CVE-2024-13335: 
WordPress vulnerability analysis and mitigation

The Spexo Addons for Elementor – Free Elementor Addons, Widgets and Templates plugin for WordPress contains a vulnerability (CVE-2024-13335) due to a missing capability check in the tmpcoder_theme_install_func() function. This vulnerability affects all versions up to and including 1.0.14, allowing authenticated attackers with Subscriber-level access or higher to install themes without proper authorization (NVD).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 Base Score of 4.3 (MEDIUM). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and no user interaction (UI:N). The scope is unchanged (S:U) with no impact on confidentiality (C:N), low impact on integrity (I:L), and no impact on availability (A:N) (NVD).

When exploited, this vulnerability allows authenticated attackers with Subscriber-level privileges or higher to install themes on the WordPress installation. This unauthorized access to theme installation functionality could potentially lead to further compromise of the WordPress site (NVD).

Users should upgrade to version 1.0.15 or later of the Spexo Addons for Elementor plugin to address this vulnerability. A patch has been made available through the WordPress plugin repository (WordPress Patch).