WordPress Plugin Vulnerabilities

The Plus Addons for Elementor < 5.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget

Description

The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Countdown' widget in all versions up to, and including, 5.6.1 due to insufficient input sanitization and output escaping on user supplied 'text_days' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
the-plus-addons-for-elementor-page-builder
Fixed in 5.6.2

References

CVE
CVE-2024-4482
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/25e42bf8-794e-46a5-b7db-f1f8802bba00

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
ee8f888f-7371-430a-96e7-ab803c89ccde

Timeline

Publicly Published
2024-07-02 (about 1 year ago)
Added
2024-07-03 (about 1 year ago)
Last Updated
2024-07-03 (about 1 year ago)

Other

Published
Title
Published
2026-02-18
Title
Institute Management <= 5.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Enquiry Form Title' Setting
Published
2021-07-29
Title
Splash Header < 1.20.8 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2025-04-28
Title
Qi Blocks < 1.4 - Contributor+ Stored XSS via ToC Block
Published
2026-01-08
Title
Brevo for WooCommerce < 4.0.50 - Unauthenticated Stored Cross-Site Scripting
Published
2025-01-22
Title
MDTF – Meta Data and Taxonomies Filter < 1.3.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting