WordPress Plugin Vulnerabilities

Master Addons for Elementor < 2.0.4 - Contributor+ Stored XSS

Description

The plugin does not validate and escape its heading tag dropdown before outputting it back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
master-addons
Fixed in 2.0.4

References

URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/abb7def7-df32-4901-b8ea-068ff1af664b

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Verified
No
WPVDB ID
3351a3fe-a96a-4e3a-a303-4b8f4d7a3487

Timeline

Publicly Published
2023-10-11 (about 2 years ago)
Added
2023-12-12 (about 2 years ago)
Last Updated
2023-12-12 (about 2 years ago)

Other

Published
Title
Published
2023-06-26
Title
Coupon Affiliates < 5.4.4 - Unauthenticated Reflected XSS
Published
2025-01-24
Title
Caching Compatible Cookie Opt-In and JavaScript < 0.0.11 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2026-03-16
Title
tagDiv Opt-In Builder < 1.7.4 - Reflected Cross-Site Scripting
Published
2014-08-01
Title
Widget Control Powered By Everyblock 1.0.1 - wp-admin/admin.php idDropdown Parameter XSS Weakness
Published
2024-09-30
Title
Relogo <= 0.4.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload