WordPress Plugin Vulnerabilities

Qi Addons For Elementor < 1.6.5 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
qi-addons-for-elementor
Fixed in 1.6.5

References

CVE
CVE-2023-47680

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
b16773f0-998e-4d2e-b92d-35d06176a28c

Timeline

Publicly Published
2023-11-09 (about 2 years ago)
Added
2023-11-14 (about 2 years ago)
Last Updated
2023-11-16 (about 2 years ago)

Other

Published
Title
Published
2025-09-05
Title
vipdrv <= 1.0.3 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-06-06
Title
Block for Font Awesome < 1.4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-09-22
Title
PlayerJS <= 2.24 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-04-01
Title
Eventbee RSVP Widget <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-02-06
Title
Arigato Autoresponder and Newsletter < 2.7.1.1 - Admin+ Stored XSS