Stored Cross-Site Scripting in ElementsKit for WordPress
CVE-2024-11180

6.4MEDIUM

What is CVE-2024-11180?

The ElementsKit Elementor addons plugin for WordPress has a vulnerability that could allow authenticated attackers with Contributor-level access and above to perform Stored Cross-Site Scripting via the Countdown Timer Widget. The vulnerability arises from inadequate input sanitization and output escaping in the ekit_countdown_timer_title parameter, enabling the injection of arbitrary web scripts into pages. These scripts execute whenever a user accesses the compromised pages, posing significant risks to site integrity and user data.

Affected Version(s)

ElementsKit Elementor Addons and Templates * <= 3.4.7

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

D.Sim
.
The Cyber Security Vulnerability Database.