CVE-2024-12062 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the Charity Addon for Elementor WordPress plugin, specifically in the 'nacharity_elementor_template' shortcode. This vulnerability arises because the plugin fails to properly restrict which posts can be included via the shortcode, allowing authenticated users with Contributor-level permissions or higher to access private or draft posts created with Elementor that they should not have access to. The flaw is due to insufficient validation of user-controlled keys that specify which post content to render, leading to unauthorized information exposure. Exploitation requires authentication but no additional user interaction, and it can be performed remotely via crafted shortcode usage. The vulnerability affects all versions up to and including 1.3.2 of the plugin. The CVSS 3.1 base score is 4.3 (medium severity), reflecting a low complexity attack vector with limited impact confined to confidentiality without affecting integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild. This vulnerability is significant for organizations using this plugin to manage sensitive or private content, as it could lead to data leakage to unauthorized internal users.

The primary impact of CVE-2024-12062 is unauthorized disclosure of private or draft content within WordPress sites using the Charity Addon for Elementor plugin. Organizations relying on this plugin to manage sensitive information, such as donor details, campaign strategies, or unpublished content, risk exposure of confidential data to users with Contributor-level access or higher who should not have such visibility. This could lead to information leakage, reputational damage, and potential compliance violations if sensitive personal or financial data is exposed. Although the vulnerability does not affect data integrity or availability, the breach of confidentiality can undermine trust and security posture. Since the exploit requires authenticated access, the threat is primarily internal or from compromised accounts. The medium severity rating reflects the moderate risk posed, but the widespread use of Elementor and its addons in nonprofit and charity sectors increases the potential attack surface globally.

To mitigate CVE-2024-12062, organizations should first verify if they use the Charity Addon for Elementor plugin and identify the version in use. Until an official patch is released, administrators should restrict Contributor-level and higher user permissions carefully, limiting access to shortcode usage or disabling the vulnerable shortcode 'nacharity_elementor_template' if possible. Implement additional access control checks in the plugin code or via custom hooks to ensure that only authorized users can render private or draft posts through shortcodes. Monitoring user activities and auditing access to sensitive content can help detect exploitation attempts. Applying the principle of least privilege to user roles and regularly reviewing user permissions will reduce risk. Once a vendor patch is available, promptly update the plugin to the fixed version. Additionally, consider using web application firewalls (WAFs) with custom rules to detect and block suspicious shortcode parameters that attempt to access unauthorized posts.