Stored Cross-Site Scripting Vulnerability in Elementor Addons for WordPress
CVE-2024-10980

Currently unrated

Key Information:

Vendor
Wordpress
Status
Element Pack Elementor Addons (header Footer, Template Library, Dynamic Grid, Carousel And Remote Arrows)
Vendor
CVE Published:
29 November 2024

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

Summary

CVE-2024-10980 is a vulnerability in the Element Pack Elementor Addons plugin for WordPress, affecting versions prior to 5.10.3. This vulnerability arises from the improper validation and escaping of specific Cookie Consent block options before they are rendered on a page or post. As a result, it enables users with contributor roles or higher to execute Stored Cross-Site Scripting (XSS) attacks. This could allow attackers to inject malicious scripts into pages visited by users, compromising site integrity and user data. Website administrators are strongly advised to update to the latest version to mitigate any potential risks associated with this vulnerability.

Affected Version(s)

Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) 0 < 5.10.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-10980 - Proof of Concept

References

https://wpscan.com/vulnerability/915daad8-d14c-4457-a3a0-...
exploitvdb-entrytechnical-description

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dmitrii Ignatyev
WPScan
.