The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sg_general_toggle_tab_enable and sg_accordion_style attributes within the plugin's JKit - Tabs and JKit - Accordion widget, respectively, in all versions up to, and including, 2.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Configurations
History
21 Nov 2024, 09:42
Type | Values Removed | Values Added |
---|---|---|
References | () https://plugins.trac.wordpress.org/browser/jeg-elementor-kit/tags/2.6.5/class/elements/views/class-accordion-view.php#L22 - Patch | |
References | () https://plugins.trac.wordpress.org/browser/jeg-elementor-kit/tags/2.6.5/class/elements/views/class-tabs-view.php#L88 - Patch | |
References | () https://plugins.trac.wordpress.org/browser/jeg-elementor-kit/tags/2.6.5/class/elements/views/class-view-abstract.php#L195 - Patch | |
References | () https://plugins.trac.wordpress.org/changeset/3102228/ - Patch | |
References | () https://wordpress.org/plugins/jeg-elementor-kit/#developers - Release Notes | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/c6048ba9-671f-4729-9618-d7a0556a31e6?source=cve - Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.4 |
26 Jul 2024, 13:35
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:jegtheme:jeg_elementor_kit:*:*:*:*:*:wordpress:*:* | |
First Time |
Jegtheme jeg Elementor Kit
Jegtheme |
|
CWE | CWE-79 | |
References | () https://plugins.trac.wordpress.org/browser/jeg-elementor-kit/tags/2.6.5/class/elements/views/class-accordion-view.php#L22 - Patch | |
References | () https://plugins.trac.wordpress.org/browser/jeg-elementor-kit/tags/2.6.5/class/elements/views/class-tabs-view.php#L88 - Patch | |
References | () https://plugins.trac.wordpress.org/browser/jeg-elementor-kit/tags/2.6.5/class/elements/views/class-view-abstract.php#L195 - Patch | |
References | () https://plugins.trac.wordpress.org/changeset/3102228/ - Patch | |
References | () https://wordpress.org/plugins/jeg-elementor-kit/#developers - Release Notes | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/c6048ba9-671f-4729-9618-d7a0556a31e6?source=cve - Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
17 Jun 2024, 12:42
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
15 Jun 2024, 02:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-06-15 02:15
Updated : 2024-11-21 09:42
NVD link : CVE-2024-4479
Mitre link : CVE-2024-4479
CVE.ORG link : CVE-2024-4479
JSON object : View
Products Affected
jegtheme
- jeg_elementor_kit
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')