Stored Cross-Site Scripting in Essential Addons for Elementor
CVE-2024-2650

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Essential Addons For Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
Vendor: CVE Published:; 9 April 2024

Summary

The Essential Addons for Elementor plugin, widely used for creating custom templates and enhancing WooCommerce functionality within WordPress, is susceptible to Stored Cross-Site Scripting. This vulnerability arises from inadequate sanitization of user inputs via the alignment parameter in the Woo Product Carousel widget. As a result, authenticated users with contributor-level access or higher can insert malicious scripts into web pages, leading to potential exploitation when other users visit the affected pages. This situation emphasizes the necessity for stringent input validation and output escaping to safeguard against such vulnerabilities.

Affected Version(s)

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders * <= 5.9.11

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Apr 9, 2024
Vulnerability Reserved
Mar 19, 2024

Credit

Ngô Thiên An

Son Tran