WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Ultimate Addons for Elementor < 1.30.0 - Contributor+ Stored XSS

Description

The “Ultimate Addons for Elementor” WordPress Plugin before 1.30.0 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.

These vulnerabilities were discovered and patched by Brainstorm Force after the Wordfence Threat Intelligence team notified them of similar vulnerabilities in their " Elementor – Header, Footer & Blocks Template" plugin, and are nearly identical to the vulnerabilities we have recently disclosed in the main Elementor plugin: https://www.wordfence.com/blog/2021/03/cross-site-scripting-vulnerabilities-in-elementor-impact-over-7-million-sites/

Affects Plugins

ultimate-elementor
Fixed in version 1.30.0

References

CVE
CVE-2021-24271
URL
https://www.wordfence.com/blog/2021/04/recent-patches-rock-the-elementor-ecosystem/

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Ramuel Gall

Submitter

Ramuel Gall

Submitter twitter
ramuelgall
Verified

Yes

WPVDB ID
1ce8e188-6ded-413e-b4d1-bf80258acf79

Timeline

Publicly Published

2021-04-13 (about 1 years ago)

Added

2021-04-14 (about 1 years ago)

Last Updated

2021-04-18 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin