Skip to content

Critical privilege escalation flaw in K Elements plugin affects 23K+ sites

  • by
  • 2 min read

A severe security vulnerability (CVE-2024-56000) in the K Elements plugin, which is widely used by websites running the Kleo WordPress theme, affects over 23,000 websites. The flaw, identified as a privilege escalation vulnerability, has been assigned a CVSS score of 9.8

The flaw in the K Elements plugin stems from a broken authentication process in Facebook’s social login feature. Attackers can exploit this weakness to log in as any user simply by supplying the victim’s email address.

This vulnerability enables account takeovers, potentially compromising sensitive user data and website integrity.

Researchers discovered that the underlying problem lies within the ‘kleo_fb_initialise’ function. Here, the ‘$FB_userid’ variable is constructed directly from ‘$_REQUEST[FB_userdata].’ Because no proper verification exists, the system allows an unauthorised user to log in using another user’s email address. The function proceeds to authenticate the attacker by calling ‘wp_set_auth_cookie’ on the compromised user’s ID.

This is an image of kelement patch ss1
The patch was released by the company. | Source: Patchstack

K Elements plugin version 5.4.0 fixes the flaw. The patch ensures that Facebook login authentication undergoes proper validation using the ‘kleo_verify_facebook_token_and_get_data’ function. This method verifies the authentication response directly from Facebook, preventing attackers from bypassing security controls.

“The vendor patched the issue by performing a proper check on the Facebook login process. The function will now use kleo_verify_facebook_token_and_get_data to fetch all of the user’s data via the Facebook access token,” the researcher wrote

A few weeks back, the ASE WordPress flaw also exposed sites to privilege escalation. Last month, the Easy Real Estate plugin was plagued by two vulnerabilities affecting 32,600 websites.

In January 2025, researchers discovered that a credit card skimmer malware is exploiting flaws in WordPress websites to steal payment information during checkout.

“For custom social login processes with platforms such as Facebook, Twitter, and Google, make sure to implement the best practice of the social login process of each platform and only trust response input such as email or unique user ID from the platform’s valid authentication response and don’t directly rely on the user input,” the researcher concluded.

In the News: 80% Australian children easily bypass social media age limit

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

Related Reads

This is an image of data breach featured

Legends International suffers data breach affecting employees and venue visitors

This is an image of cyber security hacked breach

Freshly discovered Windows vulnerability already exploited in the wild

This is an image of court featured ss1

Indian consumer courts to accept complaints against WhatsApp

  • by
  • In News
This is an image of discord203947

Discord verifies age with ID and face scans for select users

This is an image of drone 1866742 1280

British soldiers are using radio waves to take down drones

This is an image of cyber security hacked hacking 3889

State-sponsored hackers are increasingly using ClickFix tactics for the first time

>