CVE-2024-7144

The JetElements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' and 'slide_id' parameters in all versions up to, and including, 2.6.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Configurations

Configuration 1 (hide)

cpe:2.3:a:crocoblock:jetelements:*:*:*:*:*:wordpress:*:*

History

13 Sep 2024, 14:40

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.4
v2 : unknown
v3 : 5.4
First Time Crocoblock
Crocoblock jetelements
CPE cpe:2.3:a:crocoblock:jetelements:*:*:*:*:*:wordpress:*:*
References () https://crocoblock.com/plugins/jetelements/ - () https://crocoblock.com/plugins/jetelements/ - Product
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/c5e64adf-49b3-4e85-8dc1-918f7e92965b?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/c5e64adf-49b3-4e85-8dc1-918f7e92965b?source=cve - Third Party Advisory

19 Aug 2024, 13:00

Type Values Removed Values Added
Summary
  • (es) El complemento JetElements para WordPress es vulnerable a Cross-Site Scripting Almacenado a través de los parámetros 'id' y 'slide_id' en todas las versiones hasta la 2.6.20 incluida debido a una desinfección de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de Colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada.

16 Aug 2024, 14:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-16 14:15

Updated : 2024-09-13 14:40


NVD link : CVE-2024-7144

Mitre link : CVE-2024-7144

CVE.ORG link : CVE-2024-7144


JSON object : View

Products Affected

crocoblock

  • jetelements
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')