CVE-2024-11104

HIGH

Sky Addons for Elementor < 2.6.3 - Authenticated Arbitrary Option Update via Missing Capability Check

Title source: llm
STIX 2.1

Description

The Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blogs) plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the save_options() function in all versions up to, and including, 2.6.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site. Please note this is limited to option values that can be saved as arrays.

Scores

CVSS v3 8.1
EPSS 0.0067
EPSS Percentile 47.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (2)
wowdevs/Sky Addons – Elementor Addons with Widgets & Templates < 2.6.2
wowdevs/sky_addons_for_elementor < 2.6.3
Published Nov 22, 2024
Tracked Since Feb 18, 2026