WordPress Plugin Vulnerabilities

Elementor Header & Footer Builder < 1.6.26.1 - Contributor+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the size attribute due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
header-footer-elementor
Fixed in 1.6.26.1

References

CVE
CVE-2024-2618
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a780ce1b-0758-42ef-88e7-ff8d921eca6e

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
aa28669a-3c64-4e05-beb7-da41701050a5

Timeline

Publicly Published
2024-05-23 (about 1 year ago)
Added
2024-05-24 (about 1 year ago)
Last Updated
2024-05-24 (about 1 year ago)

Other

Published
Title
Published
2024-12-11
Title
WooCommerce PDF Vouchers < 4.9.9 - Authentication Bypass
Published
2024-07-11
Title
Wallet System for WooCommerce < 2.5.14 - Information Exposure via Log Files
Published
2014-08-01
Title
WP-Filebase 0.2.9.24- Unspecified Vulnerabilities
Published
2018-12-03
Title
PropertyHive <= 1.4.25 - Unvalidated Input to do_action()
Published
2014-08-01
Title
WP Property < 1.38.4 - Non-administrative User XMLI Remote Information Disclosure