Stored Cross-Site Scripting Vulnerability in Elementor Plugin
CVE-2024-9888

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Elementinvader Addons For Elementor
Vendor: CVE Published:; 16 October 2024

What is CVE-2024-9888?

The ElementInvader Addons for Elementor plugin for WordPress presents a Stored Cross-Site Scripting vulnerability that arises from inadequate input sanitization and output escaping on user-supplied attributes, particularly within the plugin's contact form widget redirect URL. This flaw enables authenticated users with a contributor-level access or higher to insert arbitrary web scripts into pages. Such scripts execute whenever a user accesses these modified pages, potentially leading to unauthorized actions and breaches of user data security. Mitigation strategies include ensuring proper input validation and output encoding to prevent script injection.

Affected Version(s)

ElementInvader Addons for Elementor * <= 1.2.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3168782/elem...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2024
Vulnerability Reserved
Oct 11, 2024

Credit

Colin Xu