Stored Cross-Site Scripting Vulnerability in Qi Addons For Elementor by WordPress
CVE-2024-13699

5.4MEDIUM

Key Information:

Vendor: Qodeinteractive
Status: Qi Addons For Elementor
Vendor: CVE Published:; 4 February 2025

Summary

The Qi Addons For Elementor plugin for WordPress suffers from a vulnerability that allows authenticated users with Contributor-level access and higher to execute arbitrary web scripts on targeted pages. This occurs via the ‘cursor’ parameter due to a lack of proper input sanitization and output escaping. Consequently, whenever a user accesses an injected page, harmful scripts could be executed, posing significant risks to site integrity and user data. Although attempts were made to address this issue in versions 1.8.5, 1.8.6, and 1.8.7, the vulnerability remains a concern for users relying on these versions.

Affected Version(s)

Qi Addons For Elementor * <= 1.8.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/qi-addons-for-...

https://plugins.trac.wordpress.org/changeset/3230342/

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 4, 2025
Vulnerability Reserved
Jan 24, 2025

Credit

D.Sim