CVE-2024-10360
📋 TL;DR
The Move Addons for Elementor WordPress plugin exposes sensitive template data through multiple widget files. Authenticated attackers with Contributor-level access or higher can extract private, pending, and draft template information. This affects all WordPress sites using vulnerable plugin versions.
💻 Affected Systems
- Move Addons for Elementor WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal unpublished content, proprietary templates, or sensitive business information before publication, potentially enabling intellectual property theft or competitive advantage loss.
Likely Case
Malicious contributors or compromised accounts accessing draft content they shouldn't see, potentially leaking upcoming content or proprietary designs.
If Mitigated
With proper access controls and monitoring, impact is limited to authorized users accessing content slightly earlier than intended.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. Contributor-level access is relatively easy to obtain on many WordPress sites.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.6 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3176341/move-addons
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Move Addons for Elementor'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.3.6+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate move-addons
Restrict User Roles
linuxTemporarily remove Contributor and Author roles from untrusted users
wp user list --role=contributor --field=ID | xargs wp user set-role subscriber
🧯 If You Can't Patch
- Implement strict access controls and monitor user activity with Contributor+ roles
- Use web application firewall rules to block suspicious requests to widget.php files
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins. Look for Move Addons version 1.3.5 or earlier.Check Version:
wp plugin get move-addons --field=versionVerify Fix Applied:
Confirm plugin version is 1.3.6 or higher. Test with Contributor account that sensitive template data is no longer accessible.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to widget.php files
- Multiple requests from Contributor accounts to template endpoints
Network Indicators:
- HTTP requests to /wp-content/plugins/move-addons/includes/widgets/*/widget.php with GET parameters
SIEM Query:
source="wordpress.log" AND (uri_path="*widget.php" AND user_role="contributor")