Vulnerability Description
The Royal Elementor Kit theme for WordPress is vulnerable to unauthorized arbitrary transient update due to a missing capability check on the dismissed_handler function in all versions up to, and including, 1.0.116. This makes it possible for authenticated attackers, with subscriber access or higher, to update arbitrary transients. Note, that these transients can only be updated to true and not arbitrary values.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Royal-Elementor-Addons | Royal Elementor Kit | <= 1.0.116 |
Related Weaknesses (CWE)
References
- https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=Patch
- https://wordpress.org/themes/royal-elementor-kit/Product
- https://www.wordfence.com/threat-intel/vulnerabilities/id/603b6c52-48eb-4e8c-a2cThird Party Advisory
- https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=Patch
- https://wordpress.org/themes/royal-elementor-kit/Product
- https://www.wordfence.com/threat-intel/vulnerabilities/id/603b6c52-48eb-4e8c-a2cThird Party Advisory
FAQ
What is CVE-2024-0835?
CVE-2024-0835 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The Royal Elementor Kit theme for WordPress is vulnerable to unauthorized arbitrary transient update due to a missing capability check on the dismissed_handler function in all versions up to, and incl...
How severe is CVE-2024-0835?
CVE-2024-0835 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-0835?
Check the references section above for vendor advisories and patch information. Affected products include: Royal-Elementor-Addons Royal Elementor Kit.