JetWidgets For Elementor < 1.0.17 – Authenticated(Contributor+) Stored Cross-Site Scripting via Widget Button URL | CVE 2024-2507 | Plugin Vulnerabilities

Description

The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget button URL in all versions up to, and including, 1.0.16 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

jetwidgets-for-elementor

Fixed in 1.0.17

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/a02f0a23-0b2b-4e16-9f6d-ec6302a0d23b

Classification

Type

CROSS FRAME SCRIPTING

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

João Pedro Soares de Alcântara

Verified

No

WPVDB ID

fe0b6642-2db5-4a82-acf9-4d0593c210b1

Timeline

Publicly Published

2024-03-20 (about 2 years ago)

Added

2024-03-20 (about 2 years ago)

Last Updated

2024-03-20 (about 2 years ago)

Other

Published

Title

Published

2025-06-18

Title

Download Manager < 3.3.19 - Authenticated (Author+) Stored Cross-site Scripting via wpdm_user_dashboard Shortcode

Published

2026-01-06

Title

Responsive Pricing Table < 5.1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'table_currency'

Published

2023-07-19

Title

Elementor < 3.5.5 - Iframe Injection

Published

2024-04-17

Title

Jobs for WordPress < 2.7.6 - Reflected Cross-Site Scripting via job-search

Published

2025-03-14

Title

WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto < 8.0.10 - Unauthenticated Stored Cross-Site Scripting