Stored Cross-Site Scripting Vulnerability Affects Themesflat Addons For Elementor Plugin
CVE-2024-8515

5.4MEDIUM

Key Information:

Vendor
Wordpress
Status
Themesflat Addons For Elementor
Vendor
CVE Published:
25 September 2024

Summary

The Themesflat Addons For Elementor plugin for WordPress exhibits a vulnerability that enables Stored Cross-Site Scripting through various widgets such as 'TF E Slider Widget', 'TF Video Widget', and 'TF Team Widget'. This vulnerability arises from inadequate input sanitization and output escaping on URL attributes found within the plugin. Authenticated attackers with Contributor-level access can exploit this security flaw to inject arbitrary web scripts into pages, which will execute whenever a user accesses a compromised page. This presents potential risks for users by exposing them to malicious scripts integrated into the content.

Affected Version(s)

Themesflat Addons For Elementor * <= 2.2.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/themesflat-add...
https://plugins.trac.wordpress.org/browser/themesflat-add...

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Craig Smith
.