PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) < 2.7.20 – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting | CVE 2024-5327 | Plugin Vulnerabilities

Description

The PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘pp_animated_gradient_bg_color’ parameter in all versions up to, and including, 2.7.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

powerpack-lite-for-elementor

Fixed in 2.7.20

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/5618fdfc-636f-452b-80e1-5182b068d1c6

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

wesley (wcraft)

Verified

No

WPVDB ID

2b4f0bd8-5ddd-4ed0-9009-a5b6ee5da4cf

Timeline

Publicly Published

2024-05-29 (about 1 year ago)

Added

2024-05-29 (about 1 year ago)

Last Updated

2024-05-30 (about 1 year ago)

Other

Published

Title

Published

2024-03-29

Title

User Rights Access Manager <= 1.1.2 - Reflected Cross-Site Scripting

Published

2025-05-07

Title

Contest Gallery < 26.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

Published

2024-04-15

Title

Shortcodes and extra features for Phlox theme < 2.15.8 - Contributor+ XSS via HTML Element

Published

2024-12-11

Title

Seraphinite Bulk Discounts for WooCommerce < 2.4.7 - Reflected Cross-Site Scripting

Published

2025-09-29

Title

FancyTabs <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via title Parameter