Stored XSS Vulnerability in Elementor Addons
CVE-2024-10310

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Element Pack Elementor Addons (header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)
Vendor: CVE Published:; 2 November 2024

Summary

The Element Pack Elementor Addons plugin for WordPress contains a Stored Cross-Site Scripting vulnerability due to inadequate sanitization of user input in its Custom Gallery Widget. Specifically, the 'image_title' parameter lacks proper input validation and output escaping, allowing authenticated attackers with Contributor-level access or greater to inject malicious scripts. These scripts will execute when users access affected pages, potentially compromising site security and user data. It is crucial for users of this plugin to apply security best practices and update to the latest version to mitigate risks.

Affected Version(s)

Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) * <= 5.10.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3176764/bdth...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 2, 2024

Credit

D.Sim