WordPress Plugin Vulnerabilities

Magical Addons For Elementor < 1.3.7 - Contributor+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
magical-addons-for-elementor
Fixed in 1.3.7

References

CVE
CVE-2024-54212
URL
https://patchstack.com/database/wordpress/plugin/magical-addons-for-elementor/vulnerability/wordpress-magical-addons-for-elementor-plugin-1-2-6-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
João G. Barbosa (4rCanJ0x!)
Verified
No
WPVDB ID
7fefaa3d-cef6-41c7-b6ef-b02bbc4bdbf8

Timeline

Publicly Published
2024-12-02 (about 1 year ago)
Added
2024-12-12 (about 1 year ago)
Last Updated
2025-05-08 (about 1 year ago)

Other

Published
Title
Published
2025-12-24
Title
Custom Field Template < 2.7.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-09-29
Title
LatePoint < 5.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2026-02-18
Title
Shield Security < 21.0.10 - Unauthenticated Reflected Cross-Site Scripting via 'message' Parameter
Published
2026-02-25
Title
Livemesh Addons for Beaver Builder <= 3.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' and 'value' Shortcode Attributes
Published
2019-10-16
Title
All In One SEO Pack < 3.2.7 - Stored Cross-Site Scripting (XSS)