Card Elements for Elementor < 1.2.3 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2024-43123 | Plugin Vulnerabilities

Description

The Card Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via title tags in versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

card-elements-for-elementor

Fixed in 1.2.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c5451e21-2782-4d2b-8c2b-be12102e20c4

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Khalid

Verified

No

WPVDB ID

45784aef-5304-49a7-8024-bf2d0c270946

Timeline

Publicly Published

2024-08-07 (about 1 year ago)

Added

2024-08-14 (about 1 year ago)

Last Updated

2024-08-14 (about 1 year ago)

Other

Published

Title

Published

2015-08-21

Title

Social Media Widget by Acurax <= 2.2 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2024-03-25

Title

Photo Gallery by Ays < 5.5.3 - Reflected Cross-Site Scripting

Published

2024-10-18

Title

Easy Addons for Elementor <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2021-06-01

Title

WordPress Bitcoin Payments - Blockonomics < 3.3 - Reflected Cross-Site Scripting (XSS)

Published

2024-02-16

Title

Page scroll to id < 1.7.9 - Contributor+ Stored XSS