WordPress Plugin Vulnerabilities

Happy Addons for Elementor < 3.10.2 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not properly sanitize the wrapper link parameter in the Age Gate, allowing users with at least the contributor access to conduct Stored XSS attacks.

Affects Plugins

Plugin icon
happy-elementor-addons
Fixed in 3.10.2

References

CVE
CVE-2024-0438
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/267641fe-7490-4b8f-bb39-9531eefa2c30

Classification

Type
CROSS FRAME SCRIPTING
OWASP top 10
A1: Injection
CWE
CWE-80
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
0203d351-c719-4f5d-9130-0369b993847d

Timeline

Publicly Published
2024-02-13 (about 2 years ago)
Added
2024-02-15 (about 2 years ago)
Last Updated
2024-02-15 (about 2 years ago)

Other

Published
Title
Published
2024-02-28
Title
Events Manager < 6.4.7 - Authenticated(Administator+) Stored Cross-Site Scripting via settings
Published
2024-02-23
Title
YML for Yandex Market < 4.2.4 - Reflected Cross-Site Scripting
Published
2024-04-30
Title
Cost Calculator Builder Pro < 3.1.68 - Unauthenticated Cross-Site Scripting via SVG Upload
Published
2024-05-08
Title
Enter Addons < 2.1.6 - Contributor+ Stored XSS via Heading widget
Published
2023-12-15
Title
Post Grid Combo – 36+ Gutenberg Blocks < 2.2.65 - Authenticated (Contributor+) Cross-Site Scripting