Stored Cross-Site Scripting in Premium Addons Pro for Elementor by WordPress
CVE-2024-4203

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Premium Addons For Elementor
Vendor: CVE Published:; 2 May 2024

Summary

The Premium Addons Pro for Elementor plugin for WordPress has a vulnerability that allows authenticated users with contributor-level access and higher to execute arbitrary web scripts. This occurs via the maps widget due to inadequate input sanitization and output escaping on user-supplied attributes. Users accessing pages with injected scripts could unknowingly run malicious code. The issue affects all versions up to and including 4.10.30 of the premium plugin, highlighting the importance of keeping plugins updated to mitigate such risks.

Affected Version(s)

Premium Addons for Elementor * <= 4.10.30

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3078006/prem...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
May 2, 2024
Vulnerability Reserved
Apr 25, 2024

Credit

Ngô Thiên An