CVE-2024-56225: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was discovered in Leap13 Premium Addons for Elementor, affecting versions through 4.10.56. The vulnerability allows unauthorized access to functionality not properly constrained by Access Control Lists (ACLs). The issue was initially reported on December 19, 2024, and was assigned CVE-2024-56225 (NVD, Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) due to missing authorization checks. It received varying CVSS v3.1 severity scores: NIST assessed it as HIGH with a base score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), while Patchstack rated it as MEDIUM with a score of 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) (NVD).

The vulnerability could allow an unprivileged user to execute certain higher privileged actions due to the broken access control implementation. The specific impact varies case by case, but it primarily affects the authorization mechanism of the plugin (Patchstack).

The vulnerability has been fixed in version 4.10.57 of the Premium Addons for Elementor plugin. Users are advised to update to version 4.10.57 or later to remove the vulnerability (Patchstack).