Stored Cross-Site Scripting in Elementor Addons Plugin by Livemesh for WordPress
CVE-2024-1464

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Elementor Addons By Livemesh
Vendor: CVE Published:; 9 April 2024

Summary

The Elementor Addons by Livemesh plugin for WordPress is impacted by a Stored Cross-Site Scripting vulnerability that arises from inadequate input sanitization and output escaping in the ‘style’ attribute of the Posts Slider widget. This flaw allows authenticated users with contributor-level access and above to inject arbitrary web scripts, compromising the integrity of pages that will execute on access. This vulnerability puts end users at risk whenever they visit affected pages, making it essential for website administrators to address this security issue promptly.

Affected Version(s)

Elementor Addons by Livemesh * <= 8.3.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3048237/addo...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 9, 2024
Vulnerability Reserved
Feb 12, 2024

Credit

Vinicius