CVE-2024-8979: 
WordPress vulnerability analysis and mitigation

The Essential Addons for Elementor WordPress plugin (versions up to 6.0.9) contains a Sensitive Information Exposure vulnerability (CVE-2024-8979) discovered in November 2024. The vulnerability exists in the 'init_content_lostpassword_user_email_controls' function, affecting the plugin's password reset functionality (NVD).

The vulnerability allows authenticated attackers with Author-level access or higher to extract sensitive data including usernames and passwords of any user, including Administrators. The exploitation is contingent on the target user opening an email notification for a password change request and having images enabled in their email client. The vulnerability has been assigned a CVSS v3.1 base score of 5.7 (Medium) by NIST and 8.0 (High) by Wordfence, indicating significant potential impact (NVD).

If successfully exploited, attackers can obtain sensitive user credentials, including those of administrative users. This could lead to unauthorized access to WordPress installations and potential compromise of affected websites. The vulnerability specifically targets the password reset functionality, potentially exposing user authentication details (NVD).

A patch has been released in version 6.0.10 of the Essential Addons for Elementor plugin. Website administrators are strongly advised to update to this version or later to address the vulnerability. The fix can be found in the plugin's changelog (WordPress Changeset).