Sina Extension for Elementor < 3.5.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via read_more_text Parameter | CVE 2024-5260 | Plugin Vulnerabilities

Description

The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘read_more_text’ parameter in all versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

sina-extension-for-elementor

Fixed in 3.5.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/da6dcf5c-bb70-4227-a784-55cf28980308

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

stealthcopter

Verified

No

WPVDB ID

24decb31-bec9-43cf-97cd-b5b2bf9dc293

Timeline

Publicly Published

2024-07-01 (about 1 year ago)

Added

2024-07-02 (about 1 year ago)

Last Updated

2024-07-03 (about 1 year ago)

Other

Published

Title

Published

2023-12-18

Title

AMP for WP – Accelerated Mobile Pages < 1.0.92.1 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode

Published

2026-04-03

Title

WPFunnels < 3.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpf_optin_form' Shortcode

Published

2024-07-10

Title

Appmaker – Convert WooCommerce to Android & iOS Native Mobile Apps <= 1.36.12 - Reflected Cross-Site Scripting

Published

2024-12-17

Title

odPhotogallery <= 0.5.3 - Reflected Cross-Site Scripting

Published

2026-05-04

Title

Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website <= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'chartid' Shortcode Attribute