CVE-2021-4445

Published: Oct 16, 2024Modified: Mar 6, 2025

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

The Premium Addons for Elementor plugin for WordPress is vulnerable to Arbitrary Option Updates in versions up to, and including, 4.5.1. This is due to missing capability and nonce checks in the pa_dismiss_admin_notice AJAX action. This makes it possible for authenticated subscriber+ attackers to change arbitrary options with a restricted value of 1 on vulnerable WordPress sites.

Affected (1)

Products: Leap13: Premium Addons For Elementor

1 product

Premium Addons For Elementor

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Leap13 Premium Addons For Elementor	Before 4.5.2

Related CWEs

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (5)

https://ithemes.com/blog/wordpress-vulnerability-report-september-2021-part-2/#ib-toc-anchor-2

Source: security@wordfence.com

Mailing ListThird Party Advisory

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2590819%40premium-addons-for-elementor&new=2590819%40premium-addons-for-elementor&sfp_email=&sfph_mail=

Source: security@wordfence.com

Patch

https://wordpress.org/plugins/premium-addons-for-elementor/

Source: security@wordfence.com

Product

https://wpscan.com/vulnerability/2e5b3608-1dfc-468f-b3ae-12ce7c25ee6c

Source: security@wordfence.com

ExploitThird Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/cffb26bc-3d3f-4593-bb36-d2abcd67861e?source=cve

Source: security@wordfence.com

Third Party Advisory

Timeline

No history available yet.