Stored Cross-Site Scripting Vulnerability in Master Addons Plugin for WordPress
CVE-2024-9618

5.4MEDIUM

Summary

The Master Addons plugin for WordPress contains a vulnerability that allows for Stored Cross-Site Scripting (XSS) through multiple widgets. This security flaw is present in all versions up to and including 2.0.7.2 and arises from inadequate input sanitization and output escaping of user-supplied attributes. Authenticated attackers with contributor-level access or higher can exploit this issue to inject malicious web scripts into pages. These scripts will subsequently execute whenever a user accesses the compromised page, potentially leading to unauthorized actions or data exposure.

Affected Version(s)

Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations * <= 2.0.7.2

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Craig Smith
.