CVE-2024-33914 – This CVE describes a Missing Authorization vuln... (How to Fix)

Q: What is the severity of CVE-2024-33914?

CVE-2024-33914 has a CVSS score of 4.3 (MEDIUM). This CVE describes a Missing Authorization vulnerability in the Exclusive Addons Elementor WordPress plugin. It allows unauthorized users to duplicate posts without proper permissions. All WordPress sites using affected versions of this plugin are vulnerable.

📋 TL;DR

This CVE describes a Missing Authorization vulnerability in the Exclusive Addons Elementor WordPress plugin. It allows unauthorized users to duplicate posts without proper permissions. All WordPress sites using affected versions of this plugin are vulnerable.

💻 Affected Systems

Products:

Exclusive Addons for Elementor WordPress plugin

Versions: All versions up to and including 2.6.9.1

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the Exclusive Addons for Elementor plugin installed and activated.

📦 What is this software?

Exclusive Addons For Elementor by Exclusiveaddons

View all CVEs affecting Exclusive Addons For Elementor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized users could duplicate sensitive posts, modify content, or create spam posts that appear legitimate.

🟠

Likely Case

Low-privileged users or attackers could duplicate posts to create spam content or disrupt site organization.

🟢

If Mitigated

With proper user role management and authentication controls, impact would be limited to authorized users only.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some level of access to the WordPress site, but not necessarily administrative privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2.6.9.1

Vendor Advisory: https://patchstack.com/database/vulnerability/exclusive-addons-for-elementor/wordpress-exclusive-addons-for-elementor-plugin-2-6-9-1-broken-access-control-on-post-duplication-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Exclusive Addons for Elementor'. 4. Click 'Update Now' if available, or download latest version from WordPress repository. 5. Activate updated plugin.

🔧 Temporary Workarounds

Disable plugin temporarily

all

Deactivate the Exclusive Addons for Elementor plugin until patched

wp plugin deactivate exclusive-addons-for-elementor

Restrict user roles

all

Limit post editing capabilities to trusted administrators only

Use WordPress role management plugins or custom code to restrict capabilities

🧯 If You Can't Patch

Remove the Exclusive Addons for Elementor plugin completely
Implement strict user role management and audit all post duplication activities

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Exclusive Addons for Elementor → Version. If version is 2.6.9.1 or earlier, you are vulnerable.

Check Version:

wp plugin get exclusive-addons-for-elementor --field=version

Verify Fix Applied:

After updating, verify plugin version is higher than 2.6.9.1 and test post duplication with non-admin users.

📡 Detection & Monitoring

Log Indicators:

Multiple post duplication events from non-admin users
Unusual post creation patterns

Network Indicators:

POST requests to post duplication endpoints from unauthorized IPs/users

SIEM Query:

source="wordpress" action="post_duplicate" user_role!="administrator"

📊 Metadata

CVE ID: CVE-2024-33914

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-862

Published: May 3, 2024

Last Updated: April 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-33914, you might also want to check these: