JetWidgets For Elementor < 1.0.18 – Authenticated (Contributor+) Stored Cross-Site Scripting via layout_type and id Parameters | CVE 2024-4626 | Plugin Vulnerabilities

Description

The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘layout_type’ and 'id' parameters in all versions up to, and including, 1.0.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

jetwidgets-for-elementor

Fixed in 1.0.18

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4457d15e-2c01-498d-b94a-a6e93adcf70c

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

stealthcopter

Verified

No

WPVDB ID

08a58b12-dcc3-4eed-8c26-e5799c3fadac

Timeline

Publicly Published

2024-06-19 (about 2 years ago)

Added

2024-06-19 (about 2 years ago)

Last Updated

2024-06-20 (about 2 years ago)

Other

Published

Title

Published

2021-09-15

Title

Compact WP Audio Player < 1.9.7 - Contributor+ Stored Cross-Site Scripting

Published

2024-01-09

Title

List category posts < 0.89.4 - Contributor+ Stored Cross-Site Scripting via Shortcode

Published

2025-03-27

Title

Clearout Email Validator < 3.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2022-07-18

Title

Name Directory < 1.25.5 - Stored Cross-Site Scripting via CSRF

Published

2024-06-14

Title

ElementsKit Elementor addons and Templates Library < 3.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Motion Text and Table Widgets