HT Event WordPress Event Manager Plugin for Elementor Sensitive Information Exposure Vulnerability
Vulnerability
A vulnerability allowing sensitive information exposure has been identified in the HT Event WordPress Event Manager Plugin for Elementor, affecting all versions through 1.4.7. The issue arises in the 'render' function of the 'htevent_sponsor' widget, located in the 'includes/widgets/htevent_sponsor.php' file. This vulnerability enables authenticated attackers with Contributor-level access and above to access private, pending, scheduled, and draft template data.
Impact
Exploitation of this vulnerability could lead to unauthorized access to sensitive template data, including private, pending, scheduled, and draft information.
Reproduction
To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can use the HT Event: Sponsor widget in Elementor. The vulnerability is triggered when the widget is rendered, allowing access to sensitive template data that should remain private.
Remediation
Users are advised to update the plugin to version 1.4.8 or a newer patched version.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.