WordPress Plugin Vulnerabilities

WPZOOM Addons for Elementor < 1.3.5 - Reflected Cross-Site Scripting

Description

The plugin is vulnerable to Reflected Cross-Site Scripting via the 'title_tag' parameter due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
wpzoom-elementor-addons
Fixed in 1.3.5

References

URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e5b98a2c-faed-4e2b-8b94-31e2be95ad40

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Verified
No
WPVDB ID
7db9d1c9-2c7e-41b7-bb1d-3843f094f695

Timeline

Publicly Published
2026-02-26 (about 2 months ago)
Added
2026-04-27 (about 16 days ago)
Last Updated
2026-04-27 (about 16 days ago)

Other

Published
Title
Published
2022-12-23
Title
Super Socializer < 7.13.44 - Contributor+ Stored XSS
Published
2025-01-06
Title
Social Share Buttons for WordPress <= 2.7 - Admin+ Stored XSS
Published
2014-08-01
Title
Relevanssi 2.7.2 - Stored XSS
Published
2024-05-31
Title
CB (legacy) <= 0.9.4.18 - Admin+ Stored XSS
Published
2025-01-29
Title
Responsive Blocks – WordPress Gutenberg Blocks < 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via section_tag Parameter