CVE-2024-4489

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘custom_upload_mimes’ function in versions up to, and including, 1.3.976 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Configurations

Configuration 1 (hide)

cpe:2.3:a:royal-elementor-addons:royal_elementor_addons:*:*:*:*:*:wordpress:*:*

History

11 Jun 2024, 18:07

Type Values Removed Values Added
First Time Royal-elementor-addons
Royal-elementor-addons royal Elementor Addons
CVSS v2 : unknown
v3 : 6.4
v2 : unknown
v3 : 5.4
CWE CWE-79
CPE cpe:2.3:a:royal-elementor-addons:royal_elementor_addons:*:*:*:*:*:wordpress:*:*
References () https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.3.973/admin/templates-kit.php#L896 - () https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.3.973/admin/templates-kit.php#L896 - Product
References () https://plugins.trac.wordpress.org/changeset/3097775/ - () https://plugins.trac.wordpress.org/changeset/3097775/ - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/57bf222b-5f49-46e2-be84-3e6444807096?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/57bf222b-5f49-46e2-be84-3e6444807096?source=cve - Third Party Advisory

07 Jun 2024, 14:56

Type Values Removed Values Added
Summary
  • (es) El complemento Royal Elementor Addons and Templates para WordPress es vulnerable a Cross-Site Scripting Almacenado a través de la función 'custom_upload_mimes' en versiones hasta la 1.3.976 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con permisos de nivel de colaborador y superiores, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada.

07 Jun 2024, 07:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-07 07:15

Updated : 2024-06-11 18:07


NVD link : CVE-2024-4489

Mitre link : CVE-2024-4489

CVE.ORG link : CVE-2024-4489


JSON object : View

Products Affected

royal-elementor-addons

  • royal_elementor_addons
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')