Premium Addons for Elementor < 4.10.34 – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting | CVE 2024-5553 | Plugin Vulnerabilities

Description

The Premium Addons for Elementor plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via several parameters in all versions up to, and including, 4.10.33 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses and edits an injected element, and subsequently clicks the element with the mouse scroll wheel.

Affects Plugins

premium-addons-for-elementor

Fixed in 4.10.34

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/a80a3108-c685-4e26-9ecd-a0fe6ad4860c

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

wesley (wcraft)

Verified

No

WPVDB ID

1609ced4-012f-4945-870f-a741d9d31c46

Timeline

Publicly Published

2024-06-11 (about 1 year ago)

Added

2024-06-11 (about 1 year ago)

Last Updated

2024-06-11 (about 1 year ago)

Other

Published

Title

Published

2026-01-08

Title

Shabat Keeper <= 0.4.4 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']

Published

2025-10-21

Title

Oboxmedia Ads <= 1.9.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-03-15

Title

WP Popups < 2.1.5.6 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2021-09-13

Title

Affiliate Power < 2.3.0 - Reflected Cross-Site Scripting

Published

2017-08-24

Title

FG PrestaShop for WooCommerce < 3.20.0 - XSS