The ElementsReady Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_id’ parameter in all versions up to, and including, 6.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Configurations
History
24 Jul 2024, 17:58
Type | Values Removed | Values Added |
---|---|---|
References | () https://plugins.trac.wordpress.org/browser/element-ready-lite/trunk/inc/Widgets/info_box/Element_Ready_Info_Box_Widget.php#L742 - Patch | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/d2cffdc3-bd74-42ab-befd-8a396c5d990d?source=cve - Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
CWE | CWE-79 | |
CPE | cpe:2.3:a:quomodosoft:elementsready:*:*:*:*:*:wordpress:*:* | |
First Time |
Quomodosoft elementsready
Quomodosoft |
06 Jun 2024, 14:17
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
06 Jun 2024, 04:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-06-06 04:15
Updated : 2024-07-24 17:58
NVD link : CVE-2024-5152
Mitre link : CVE-2024-5152
CVE.ORG link : CVE-2024-5152
JSON object : View
Products Affected
quomodosoft
- elementsready
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')