CVE-2024-10663: Eleblog – Elementor Blog And Magazine Addons <= 1.8 - Missing Authorization to Authenticated (Subscriber+) Deactivation Submission

4.3 CVSS

Description

The Eleblog – Elementor Blog And Magazine Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the goodbye_form_callback() function in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit a deactivation reason.

Classification

CVE ID: CVE-2024-10663

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.3

Affected Products

Vendor: smarettheme

Product: Eleblog – Elementor Blog And Magazine Addons

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 16.18% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/f355d2c0-6133-4091-b900-1451ebba70c4?source=cve
https://plugins.trac.wordpress.org/browser/ele-blog/trunk/inc/class-ele-blog-quick-feedback.php#L350

Timeline