WordPress Plugin Vulnerabilities

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders < 5.9.23 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'get_manual_calendar_events' function in all versions up to, and including, 5.9.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
essential-addons-for-elementor-lite
Fixed in 5.9.23

References

CVE
CVE-2024-5188
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5a1d5fd1-80b6-4d62-9837-59ee1e020373

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Ngô Thiên An (ancorn_)
Verified
No
WPVDB ID
cc3a2660-8612-42f1-bbba-714a0e35ae67

Timeline

Publicly Published
2024-06-05 (about 1 year ago)
Added
2024-06-11 (about 1 year ago)
Last Updated
2024-06-11 (about 1 year ago)

Other

Published
Title
Published
2025-09-30
Title
ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns < 2.3.11 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-11-29
Title
BrainCert – HTML5 Virtual Classroom < 2.2 - Reflected Cross-Site Scripting
Published
2026-03-31
Title
King Addons for Elementor < 51.1.54 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Multiple Widgets
Published
2015-08-04
Title
Altos Connect Widget <= 1.3.0 - Unauthenticated Cross-Site Scripting (XSS)
Published
2025-04-04
Title
Search, Filters & Merchandising for WooCommerce < 3.0.59 - Authenticated (Contributor+) Stored Cross-Site Scripting