Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders < 5.9.24 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2024-5189 | Plugin Vulnerabilities

Description

The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘custom_js’ parameter in all versions up to, and including, 5.9.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

essential-addons-for-elementor-lite

Fixed in 5.9.24

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/aa70238b-530e-4c90-82f4-c3113887d0e1

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

wesley (wcraft)

Verified

No

WPVDB ID

9b5b4899-630b-45c7-8fd3-6227594a3353

Timeline

Publicly Published

2024-06-10 (about 1 year ago)

Added

2024-06-11 (about 1 year ago)

Last Updated

2024-06-11 (about 1 year ago)

Other

Published

Title

Published

2025-01-07

Title

Powerful Auto Chat <= 1.9.8 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Published

2014-08-01

Title

AVChat Video Chat 1.4.1 - index_popup.php Multiple Parameters Reflected XSS

Published

2023-08-02

Title

Woo Custom Emails <= 2.2 - Reflected XSS

Published

2014-09-17

Title

WP Photo Album Plus 5.4.5 - 5.4.8 Stored XSS

Published

2024-05-29

Title

WP Content Copy Protection & No Right Click (premium) <= 15.0 - Admin+ Stored XSS