CVE-2024-3249 - Vulnerability Details - OpenCVE

The Zita Elementor Site Library plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the import_xml_data, xml_data_import, import_option_data, import_widgets, and import_customizer_settings functions in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to create pages, update certain options, including WooCommerce page titles and Elementor settings, import widgets, and update the plugin's customizer settings and the WordPress custom CSS. NOTE: This vulnerability was partially fixed in version 1.6.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00209.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3100431/zita-site-library
https://plugins.trac.wordpress.org/changeset/3105478/zita-site-library
https://www.wordfence.com/threat-intel/vulnerabilities/id/62bc3794-a2c2-4c1a-b1c9-2be6e2526635?source=cve

History

Wed, 08 Apr 2026 17:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-862

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-06-25T06:57:38.060Z

Updated: 2026-04-08T16:57:09.162Z

Reserved: 2024-04-02T23:57:51.528Z

Link: CVE-2024-3249

Vulnrichment

Updated: 2024-08-01T20:05:08.365Z

NVD

Status : Awaiting Analysis

Published: 2024-06-25T07:15:45.323

Modified: 2026-04-08T18:21:22.337

Link: CVE-2024-3249

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-3249", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-04-02T23:57:51.528Z", "datePublished": "2024-06-25T06:57:38.060Z", "dateUpdated": "2026-04-08T16:57:09.162Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:09.162Z"}, "affected": [{"vendor": "wpzita", "product": "Zita Site Library for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.6.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Zita Elementor Site Library plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the import_xml_data, xml_data_import, import_option_data, import_widgets, and import_customizer_settings functions in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to create pages, update certain options, including WooCommerce page titles and Elementor settings, import widgets, and update the plugin's customizer settings and the WordPress custom CSS. NOTE: This vulnerability was partially fixed in version 1.6.2."}], "title": "Zita Elementor Site Library <= 1.6.2 - Missing Authorization to Page Creation and Options Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/62bc3794-a2c2-4c1a-b1c9-2be6e2526635?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3100431/zita-site-library"}, {"url": "https://plugins.trac.wordpress.org/changeset/3105478/zita-site-library"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "timeline": [{"time": "2024-04-04T00:00:00.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2024-06-24T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-02T14:33:01.420484Z", "id": "CVE-2024-3249", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-02T14:33:11.366Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:05:08.365Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/62bc3794-a2c2-4c1a-b1c9-2be6e2526635?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3100431/zita-site-library", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3105478/zita-site-library", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/62bc3794-a2c2-4c1a-b1c9-2be6e2526635?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3100431/zita-site-library", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3105478/zita-site-library", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:05:08.365Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3249", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-02T14:33:01.420484Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-02T14:33:07.541Z"}}], "cna": {"title": "Zita Elementor Site Library <= 1.6.2 - Missing Authorization to Page Creation and Options Modification", "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpzita", "product": "Zita Elementor Site Library", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.6.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-04-04T00:00:00.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2024-06-24T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/62bc3794-a2c2-4c1a-b1c9-2be6e2526635?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3100431/zita-site-library"}, {"url": "https://plugins.trac.wordpress.org/changeset/3105478/zita-site-library"}], "descriptions": [{"lang": "en", "value": "The Zita Elementor Site Library plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the import_xml_data, xml_data_import, import_option_data, import_widgets, and import_customizer_settings functions in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to create pages, update certain options, including WooCommerce page titles and Elementor settings, import widgets, and update the plugin's customizer settings and the WordPress custom CSS. NOTE: This vulnerability was partially fixed in version 1.6.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-06-25T06:57:38.060Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3249", "state": "PUBLISHED", "dateUpdated": "2024-08-01T20:05:08.365Z", "dateReserved": "2024-04-02T23:57:51.528Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-06-25T06:57:38.060Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Zita Elementor Site Library plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the import_xml_data, xml_data_import, import_option_data, import_widgets, and import_customizer_settings functions in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to create pages, update certain options, including WooCommerce page titles and Elementor settings, import widgets, and update the plugin's customizer settings and the WordPress custom CSS. NOTE: This vulnerability was partially fixed in version 1.6.2."}, {"lang": "es", "value": "El complemento Zita Elementor Site Library para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificaci\u00f3n de capacidad en las funciones import_xml_data, xml_data_import, import_option_data, import_widgets e import_customizer_settings en todas las versiones hasta la 1.6.2 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, creen p\u00e1ginas, actualicen ciertas opciones, incluidos los t\u00edtulos de las p\u00e1ginas de WooCommerce y la configuraci\u00f3n de Elementor, importen widgets y actualicen la configuraci\u00f3n del personalizador del complemento y el CSS personalizado de WordPress. NOTA: Esta vulnerabilidad se solucion\u00f3 parcialmente en la versi\u00f3n 1.6.2."}], "id": "CVE-2024-3249", "lastModified": "2026-04-08T18:21:22.337", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-06-25T07:15:45.323", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3100431/zita-site-library"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3105478/zita-site-library"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/62bc3794-a2c2-4c1a-b1c9-2be6e2526635?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://plugins.trac.wordpress.org/changeset/3100431/zita-site-library"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://plugins.trac.wordpress.org/changeset/3105478/zita-site-library"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/62bc3794-a2c2-4c1a-b1c9-2be6e2526635?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}