WordPress Plugin Vulnerabilities

Starter Templates — Elementor, WordPress & Beaver Builder Templates < 4.2.2 - Contributor+ Stored Cross-Site Scripting

Description

The Starter Templates — Elementor, WordPress & Beaver Builder Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘custom_upload_mimes’ function in versions up to, and including, 4.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
astra-sites
Fixed in 4.2.2

References

CVE
CVE-2024-4630
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/25edb9e8-65ea-41d1-a95f-09be110ec1d2

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
530ec495-fbb4-4c47-8700-da72cfa6416b

Timeline

Publicly Published
2024-05-10 (about 2 years ago)
Added
2024-05-31 (about 1 year ago)
Last Updated
2024-05-31 (about 1 year ago)

Other

Published
Title
Published
2025-03-31
Title
Infusionsoft Web Form JavaScript <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-02-18
Title
Coronavirus (COVID-19) Notice Message <= 1.1.2 - Admin+ Stored XSS
Published
2024-11-08
Title
Mobile Kiosk <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2014-08-01
Title
ZooEffect 1.08 - HTTP Referer Reflected XSS
Published
2025-09-26
Title
Job Board Manager <= 2.1.61 - Authenticated (Contributor+) Stored Cross-Site Scripting