Cross-Site Scripting Vulnerability in Elementor Addons for WordPress
CVE-2024-10493

Currently unrated

Key Information:

Vendor
Wordpress
Status
Element Pack Elementor Addons (header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)
Vendor
CVE Published:
28 November 2024

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

Summary

CVE-2024-10493 is a critical Cross-Site Scripting (XSS) vulnerability found in the Element Pack Elementor Addons plugin for WordPress, specifically affecting versions before 5.10.3. The flaw arises from improper validation and escaping of certain block option outputs, which can allow users with contributor roles and higher to inject malicious scripts into web pages. As a result, an attacker can leverage this vulnerability to execute stored XSS attacks, potentially compromising the security of affected WordPress sites and their users. Immediate action is recommended to upgrade to the latest version to safeguard against such threats.

Affected Version(s)

Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) 0 < 5.10.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-10493 - Proof of Concept

References

https://wpscan.com/vulnerability/2e7f7196-054b-4cfd-9219-...
exploitvdb-entrytechnical-description

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dmitrii Ignatyev
WPScan
.