CVE-2024-5612

The Essential Addons for Elementor Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘eael_lightbox_open_btn_icon’ parameter within the Lightbox & Modal widget in all versions up to, and including, 5.8.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Configurations

Configuration 1 (hide)

cpe:2.3:a:wpdeveloper:essential_addons_for_elementor:*:*:*:*:pro:wordpress:*:*

History

29 Oct 2024, 18:05

Type Values Removed Values Added
CWE CWE-79
References () https://essential-addons.com/changelog/ - () https://essential-addons.com/changelog/ - Release Notes
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/8dbe4104-b7d1-484f-a843-a3d1fc02999d?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/8dbe4104-b7d1-484f-a843-a3d1fc02999d?source=cve - Third Party Advisory
CVSS v2 : unknown
v3 : 6.4
v2 : unknown
v3 : 5.4
First Time Wpdeveloper essential Addons For Elementor
Wpdeveloper
CPE cpe:2.3:a:wpdeveloper:essential_addons_for_elementor:*:*:*:*:pro:wordpress:*:*

07 Jun 2024, 14:56

Type Values Removed Values Added
Summary
  • (es) El complemento Essential Addons for Elementor Pro para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del parámetro 'eael_lightbox_open_btn_icon' dentro del widget Lightbox & Modal en todas las versiones hasta la 5.8.15 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de Colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada.

07 Jun 2024, 05:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-07 05:15

Updated : 2024-10-29 18:05


NVD link : CVE-2024-5612

Mitre link : CVE-2024-5612

CVE.ORG link : CVE-2024-5612


JSON object : View

Products Affected

wpdeveloper

  • essential_addons_for_elementor
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')