WordPress Plugin Vulnerabilities

Essential Addons for Elementor Lite < 5.0.9 - Reflected Cross-Site Scripting

Description

The plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the settings parameter found in the ~/includes/Traits/Helper.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted link by an attacker.

Affects Plugins

Plugin icon
essential-addons-for-elementor-lite
Fixed in 5.0.9

References

CVE
CVE-2022-0683
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-0683

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Pham Van Khanh (rskvp93) from VCSLab of Viettel Cyber Security & Nguyen Dinh Bien (biennd4) from VCSLab of Viettel Cyber Security.
Verified
Yes
WPVDB ID
9ea3248d-8320-465f-bf31-4365148b4b56

Timeline

Publicly Published
2022-02-18 (about 1 years ago)
Added
2022-02-20 (about 1 years ago)
Last Updated
2022-04-09 (about 1 years ago)

Other

Published
Title
Published
2023-02-14
Title
Quick Paypal Payments < 5.7.26 - Unauthenticated Stored XSS
Published
2014-06-12
Title
Ruven Toolkit <= 1.1 - tinymce/popup.php popup Parameter Reflected XSS
Published
2023-03-08
Title
Popup box < 3.4.5 - Reflected XSS
Published
2015-02-09
Title
WP eCommerce 3.8.9.5 - Cross-Site Scripting (XSS)
Published
2015-12-02
Title
Ultimate Member < 1.3.29 - Unauthenticated Reflected Cross-Site Scripting (XSS)