CVE-2024-4488

The Royal Elementor Addons and Templates for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘inline_list’ parameter in versions up to, and including, 1.3.976 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Configurations

Configuration 1 (hide)

cpe:2.3:a:royal-elementor-addons:royal_elementor_addons:*:*:*:*:*:wordpress:*:*

History

11 Jun 2024, 18:09

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.4
v2 : unknown
v3 : 5.4
CPE cpe:2.3:a:royal-elementor-addons:royal_elementor_addons:*:*:*:*:*:wordpress:*:*
First Time Royal-elementor-addons
Royal-elementor-addons royal Elementor Addons
CWE CWE-79
References () https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/form-builder/widgets/wpr-form-builder.php#L3238 - () https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/form-builder/widgets/wpr-form-builder.php#L3238 - Product
References () https://plugins.trac.wordpress.org/changeset/3097775/ - () https://plugins.trac.wordpress.org/changeset/3097775/ - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/cb0ac434-7e85-44d4-b21e-df462f63cd9c?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/cb0ac434-7e85-44d4-b21e-df462f63cd9c?source=cve - Third Party Advisory

07 Jun 2024, 14:56

Type Values Removed Values Added
Summary
  • (es) Los complementos Royal Elementor Addons and Templates para WordPress son vulnerables a Cross-Site Scripting Almacenado a través del parámetro 'inline_list' en versiones hasta la 1.3.976 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con permisos de nivel de colaborador y superiores, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada.

07 Jun 2024, 07:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-07 07:15

Updated : 2024-06-11 18:09


NVD link : CVE-2024-4488

Mitre link : CVE-2024-4488

CVE.ORG link : CVE-2024-4488


JSON object : View

Products Affected

royal-elementor-addons

  • royal_elementor_addons
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')