Stored Cross-Site Scripting Vulnerability in Royal Elementor Addons for WordPress
CVE-2024-3675

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Royal Elementor Addons And Templates
Vendor: CVE Published:; 2 May 2024

Summary

The Royal Elementor Addons and Templates plugin for WordPress is susceptible to a stored cross-site scripting vulnerability. This issue arises from inadequate input sanitization and output escaping on user-supplied attributes within the plugin's Flip Carousel, Flip Box, Post Grid, and Taxonomy List widgets. Authenticated users with contributor-level access or higher can exploit this vulnerability to inject arbitrary web scripts into pages. These scripts will execute when users access the compromised pages, posing serious security risks to site visitors and data integrity.

Affected Version(s)

Royal Elementor Addons and Templates * <= 1.3.971

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/royal-elemento...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
May 2, 2024
Vulnerability Reserved
Apr 11, 2024

Credit

Matthew Rollings