Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library ) < 1.1.35 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2024-34547 | Plugin Vulnerabilities

Description

The Magical Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to 1.1.35 (exclusive) due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

magical-addons-for-elementor

Fixed in 1.1.35

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0febc283-6c4a-472a-a211-0df853d63f7b

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Khalid

Verified

No

WPVDB ID

b455a0f9-682e-452f-8642-7daf7646b32e

Timeline

Publicly Published

2024-05-07 (about 2 years ago)

Added

2024-05-16 (about 1 year ago)

Last Updated

2024-05-16 (about 1 year ago)

Other

Published

Title

Published

2024-03-08

Title

Easy Accordion – Best Accordion FAQ Plugin for WordPress < 2.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-04-22

Title

Post in page for Elementor < 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-02-02

Title

Scroll Triggered Box <= 2.3 - Authenticated (Editor+) Stored Cross-Site Scripting

Published

2025-05-09

Title

WPForms Lite < 1.9.5.1 - Contributor+ Stored XSS via 'start_timestamp' Parameter

Published

2025-07-23

Title

CaptionPix <= 1.8 - Reflected Cross-Site Scripting