CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8961 – Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders <= 6.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-8961
The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘nomore_items_text’ parameter in all versions up to, and including, 6.0.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Elements/Filterable_Gallery.php https://plugins.trac.wordpress.org/changeset/3176312 https://www.wordfence.com/threat-intel/vulnerabilities/id/45ef20aa-18e3-4ad8-a94e-76e29de5b562?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8978 – Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders <= 6.0.9 - Authenticated (Contributor+) Sensitive Information Exposure
https://notcve.org/view.php?id=CVE-2024-8978
The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.9 via the 'init_content_register_user_email_controls' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including usernames and passwords of any users who register via the Login | Register Form widget, as long as that user opens the email notification for successful registration. Los complementos Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders para WordPress son vulnerables a la exposición de información confidencial en todas las versiones hasta la 6.0.9 incluida a través de la función 'init_content_register_user_email_controls'. Esto hace posible que los atacantes autenticados, con acceso de nivel de colaborador y superior, extraigan datos confidenciales, incluidos los nombres de usuario y las contraseñas de cualquier usuario que se registre a través del widget Formulario de inicio de sesión | Registro, siempre que ese usuario abra la notificación por correo electrónico para el registro exitoso. • https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Elements/Login_Register.php#L2220 https://plugins.trac.wordpress.org/changeset/3188634 https://www.wordfence.com/threat-intel/vulnerabilities/id/baae8fb9-b87c-4f61-88da-871c4c83615b?source=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8979 – Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders <= 6.0.9 - Authenticated (Author+) Sensitive Information Exposure to Privilege Escalation
https://notcve.org/view.php?id=CVE-2024-8979
The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.9 via the 'init_content_lostpassword_user_email_controls' function. This makes it possible for authenticated attackers, with Author-level access and above, to extract sensitive data including usernames and passwords of any user, including Administrators, as long as that user opens the email notification for a password change request and images are not blocked by the email client. Los complementos Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders para Elementor son vulnerables a la exposición de información confidencial en todas las versiones hasta la 6.0.9 incluida a través de la función 'init_content_lostpassword_user_email_controls'. Esto permite que los atacantes autenticados, con acceso de nivel de autor y superior, extraigan datos confidenciales, incluidos los nombres de usuario y las contraseñas de cualquier usuario, incluidos los administradores, siempre que ese usuario abra la notificación por correo electrónico para solicitar un cambio de contraseña y las imágenes no estén bloqueadas por el cliente de correo electrónico. • https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Elements/Login_Register.php#L2440 https://plugins.trac.wordpress.org/changeset/3188634 https://www.wordfence.com/threat-intel/vulnerabilities/id/34d09086-be33-40cf-b5bf-d6c03cf0b68a?source=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8742 – Essential Addons for Elementor <= 6.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Filterable Gallery Widget
https://notcve.org/view.php?id=CVE-2024-8742
The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Filterable Gallery widget in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://www.wordfence.com/threat-intel/vulnerabilities/id/76c292dc-e9da-4256-82df-58ac5def4771?source=cve https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.0.3/includes/Elements/Filterable_Gallery.php#L566 https://plugins.trac.wordpress.org/changeset/3148624 https://wordpress.org/plugins/essential-addons-for-elementor-lite/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8440 – Essential Addons for Elementor -- Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 6.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Fancy Text Widget
https://notcve.org/view.php?id=CVE-2024-8440
The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Fancy Text widget in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://www.wordfence.com/threat-intel/vulnerabilities/id/c5960396-5320-4978-aa82-2e33700daa43?source=cve https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Elements/Fancy_Text.php#L114 https://wordpress.org/plugins/essential-addons-for-elementor-lite/#developers https://plugins.trac.wordpress.org/changeset/3148624 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •