RLM Elementor Widgets Pack < 1.4.0 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2024-50542 | Plugin Vulnerabilities

Description

The RLM Elementor Widgets Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

rlm-elementor-widgets-pack

Fixed in 1.4.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4f417d54-5aa6-4ef4-870a-12a9fa73050d

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Gab

Verified

No

WPVDB ID

6d26c649-65d7-486a-87a5-9bee403123ca

Timeline

Publicly Published

2024-10-31 (about 1 year ago)

Added

2024-11-06 (about 1 year ago)

Last Updated

2024-11-06 (about 1 year ago)

Other

Published

Title

Published

2024-11-04

Title

Forms: 3rd-Party Post Again <= 0.3 - Reflected Cross-Site Scripting

Published

2025-03-19

Title

HT Mega – Absolute Addons For Elementor < 2.8.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

Published

2024-07-16

Title

Ajax Search Lite < 4.12.1 - Admin+ Stored XSS

Published

2022-03-29

Title

Books & Papers <= 0.20210223 - Admin+ Stored Cross-Site Scripting

Published

2024-08-07

Title

Themify Shortcodes < 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting