WPZOOM Addons for Elementor (Templates, Widgets) <= <=1.1.35 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2024-33539 | Plugin Vulnerabilities

Description

The WPZOOM Addons for Elementor (Templates, Widgets) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 1.1.35 due to insufficient input sanitization and output escaping on user supplied attributes like 'title_tag.' This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

wpzoom-elementor-addons

Fixed in 1.1.36

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/61589c29-3f81-49e2-b001-c51892141c76

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Khalid

Verified

No

WPVDB ID

3c5cc419-6a89-4c24-8fa3-e56661f82929

Timeline

Publicly Published

2024-04-25 (about 2 years ago)

Added

2024-05-01 (about 2 years ago)

Last Updated

2024-05-01 (about 2 years ago)

Other

Published

Title

Published

2025-04-17

Title

Download Manager < 3.3.13 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

Published

2024-04-24

Title

Base64 Encoder/Decoder <= 0.9.2 - Reflected XSS

Published

2021-09-06

Title

Modern Events Calendar Lite < 5.22.2 - Admin+ Stored Cross-Site Scripting

Published

2025-12-21

Title

WH Tweaks < 1.0.3 - Admin+ Stored XSS

Published

2025-09-03

Title

Dadevarzan WordPress Common < 2.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting