WordPress Plugin Vulnerabilities

Premium Addons for Elementor < 4.10.19 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not properly sanitize and escape its buttons' onclick attribute, making it possible for users with at least the contributor role to conduct Stored XSS attacks.

Affects Plugins

Plugin icon
premium-addons-for-elementor
Fixed in 4.10.19

References

CVE
CVE-2024-1242
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1026b753-e82b-4fa3-9023-c36ab9863b29

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Nikolas
Verified
No
WPVDB ID
e6fe93b5-ba6b-4aa0-8b2c-e91ab4c5e3d6

Timeline

Publicly Published
2024-02-14 (about 2 years ago)
Added
2024-02-15 (about 2 years ago)
Last Updated
2024-02-15 (about 2 years ago)

Other

Published
Title
Published
2025-02-21
Title
DB Tables Import/Export <= 1.0.1 - Reflected Cross-Site Scripting
Published
2024-11-25
Title
Support SVG – Upload svg files in wordpress without hassle < 1.1.1 - Authenticated (Author+) Stored Cross-site Scripting via SVG File Upload
Published
2025-10-21
Title
JB News Ticker <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-05-03
Title
Simple Membership < 4.4.6 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2024-05-09
Title
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) < 1.5.103 - Reflected Cross-Site Scripting