WordPress Plugin Vulnerabilities

Exclusive Addons for Elementor < 2.6.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Timer Widget

Description

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown Timer widget in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
exclusive-addons-for-elementor
Fixed in 2.6.9.1

References

CVE
CVE-2024-1413
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f40956e0-6e5c-4965-84f8-2420ad14a299

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
RandomRoot
Verified
No
WPVDB ID
5ab722a5-be37-4167-87ca-d198116b0c97

Timeline

Publicly Published
2024-02-29 (about 2 years ago)
Added
2024-02-29 (about 2 years ago)
Last Updated
2024-02-29 (about 2 years ago)

Other

Published
Title
Published
2024-12-30
Title
Pronamic Google Maps < 2.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-03-13
Title
DethemeKit for Elementor < 2.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-10-31
Title
ThemeShark Templates & Widgets for Elementor <= 1.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-09-14
Title
Slider, Gallery, and Carousel by MetaSlider < 3.27.9 - Admin+ Stored Cross Site Scripting
Published
2024-05-17
Title
Happy Addons for Elementor < 3.10.9 - Contributor+ Stored XSS