Medium severity4.3NVD Advisory· Published Jun 25, 2024· Updated Apr 15, 2026

CVE-2024-3249

Description

The Zita Elementor Site Library plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the import_xml_data, xml_data_import, import_option_data, import_widgets, and import_customizer_settings functions in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to create pages, update certain options, including WooCommerce page titles and Elementor settings, import widgets, and update the plugin's customizer settings and the WordPress custom CSS. NOTE: This vulnerability was partially fixed in version 1.6.2.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changeset/3100431/zita-site-librarynvd
plugins.trac.wordpress.org/changeset/3105478/zita-site-librarynvd
www.wordfence.com/threat-intel/vulnerabilities/id/62bc3794-a2c2-4c1a-b1c9-2be6e2526635nvd

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000