Ultimate Addons for Elementor < 1.30.0 - Contributor+ Stored XSS
Description
The “Ultimate Addons for Elementor” WordPress Plugin before 1.30.0 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. These vulnerabilities were discovered and patched by Brainstorm Force after the Wordfence Threat Intelligence team notified them of similar vulnerabilities in their " Elementor – Header, Footer & Blocks Template" plugin, and are nearly identical to the vulnerabilities we have recently disclosed in the main Elementor plugin: https://www.wordfence.com/blog/2021/03/cross-site-scripting-vulnerabilities-in-elementor-impact-over-7-million-sites/
Affects Plugins
Fixed in version 1.30.0✓
Classification
Miscellaneous
Original Researcher
Ramuel Gall
Submitter
Ramuel Gall
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-04-13 (about 3 months ago)
Added
2021-04-14 (about 3 months ago)
Last Updated
2021-04-18 (about 3 months ago)