Stored Cross-Site Scripting Vulnerability in Royal Elementor Addons and Templates for WordPress
CVE-2024-0442

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Royal Elementor Addons and Templates
Vendor: CVE Published:; 29 February 2024

Summary

The Royal Elementor Addons and Templates plugin for WordPress is susceptible to Stored Cross-Site Scripting (XSS) due to inadequate input sanitization and output escaping. This vulnerability affects all versions up to 1.3.87 and allows authenticated attackers with contributor access or higher to inject malicious scripts through element URL parameters. Consequently, these scripts will execute every time a user accesses a page that has been compromised, exposing visitors to potential data theft or site hijacking.

Affected Version(s)

Royal Elementor Addons and Templates * <= 1.3.87

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?old_path=/ro...

https://plugins.trac.wordpress.org/changeset/3032004/roya...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Feb 29, 2024
Vulnerability Reserved
Jan 11, 2024

Credit

Craig Smith