WordPress Plugin Vulnerabilities

Themesflat Addons For Elementor < 2.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the TF E Slider Widget in all versions up to, and including, 2.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
themesflat-addons-for-elementor
Fixed in 2.2.5

References

CVE
CVE-2024-12205
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/45c6c041-91b0-4abe-ba72-ec1251651fdb

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Webbernaut
Verified
No
WPVDB ID
cc8ecf26-e049-4945-9391-f8188b2f7ec4

Timeline

Publicly Published
2025-01-07 (about 1 year ago)
Added
2025-01-07 (about 1 year ago)
Last Updated
2025-01-08 (about 1 year ago)

Other

Published
Title
Published
2025-05-01
Title
tagDiv Composer < 5.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes
Published
2024-07-06
Title
Link To Bible < 2.5.10 - Administrator+ Stored XSS
Published
2025-02-02
Title
WP Church Center <= 1.3.3 - Reflected Cross-Site Scripting
Published
2025-04-01
Title
WP Plugin Info Card < 5.3.1 - Contributor+ Stored XSS
Published
2026-02-04
Title
Robin Image Optimizer < 2.0.3 - Authenticated (Author+) Stored Cross-Site Scripting via Image Alternative Text Field