CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2085 – HT Mega – Absolute Addons For Elementor <= 2.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'size'
https://notcve.org/view.php?id=CVE-2024-2085
16 Apr 2024 — The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'size' value in several widgets all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento HT Mega – Absolute A... • https://plugins.trac.wordpress.org/changeset/3048999/ht-mega-for-elementor/trunk/includes/widgets/htmega_accordion.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3308 – HT Mega – Absolute Addons For Elementor <= 2.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Grid Widget
https://notcve.org/view.php?id=CVE-2024-3308
16 Apr 2024 — The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Grid widget's attributes in all versions up to, and including, 2.4.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento HT Mega – Absolute Addons For Elementor para WordPress ... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3071480%40ht-mega-for-elementor%2Ftrunk&old=3063395%40ht-mega-for-elementor%2Ftrunk&sfp_email=&sfph_mail= • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3307 – HT Mega – Absolute Addons For Elementor <= 2.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
https://notcve.org/view.php?id=CVE-2024-3307
16 Apr 2024 — The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown widget's attributes in all versions up to, and including, 2.4.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento HT Mega – Absolute Addons For Elementor para WordPress es... • https://github.com/HBLocker/CVE-2024-33078 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6214 – HT Mega – Absolute Addons For Elementor <= 2.4.6 - Sensitive Information Exposure via purchased_products
https://notcve.org/view.php?id=CVE-2023-6214
16 Apr 2024 — The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.6 via the purchased_products function. This makes it possible for unauthenticatied attackers to extract sensitive data including the previous 7 days of order data including products and customer PII. El complemento HT Mega – Absolute Addons For Elementor para WordPress es vulnerable a la exposición de información confidencial en todas las versiones hasta ... • https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/tags/2.3.6/extensions/wc-sales-notification/classes/class.sale_notification.php • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2790 – HT Mega – Absolute Addons For Elementor <= 2.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Accordion/FAQ
https://notcve.org/view.php?id=CVE-2024-2790
16 Apr 2024 — The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Accordion widget in all versions up to, and including, 2.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento HT Mega – Absolute Addons For Elementor... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3063395%40ht-mega-for-elementor&new=3063395%40ht-mega-for-elementor&sfp_email=&sfph_mail=#file4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2084 – HT Mega – Absolute Addons For Elementor <= 2.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Lightbox Widget
https://notcve.org/view.php?id=CVE-2024-2084
16 Apr 2024 — The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's lightbox widget in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento HT Mega – Absolute Addon... • https://plugins.trac.wordpress.org/changeset/3048999 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1974 – HT Mega – Absolute Addons For Elementor <= 2.4.5 - Authenticated (Contributor+) Directory Traversal
https://notcve.org/view.php?id=CVE-2024-1974
09 Apr 2024 — The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.4.6 via the render function. This makes it possible for authenticated attackers, with contributor access or higher, to read the contents of arbitrary files on the server, which can contain sensitive information. El complemento HT Mega – Absolute Addons For Elementor para WordPress es vulnerable a Directory Traversal en todas las versiones hasta la 2.4.6 incluida a tra... • https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/trunk/includes/widgets/htmega_weather.php#L401 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1421 – HT Mega – Absolute Addons For Elementor <= 2.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Carousel Widget
https://notcve.org/view.php?id=CVE-2024-1421
12 Mar 2024 — The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘border_type’ attribute of the Post Carousel widget in all versions up to, and including, 2.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento HT Mega – Absolute Addons Fo... • https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/tags/2.4.4/includes/widgets/htmega_post_carousel.php#L2243 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1397 – HT Mega <= 2.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via titleTag
https://notcve.org/view.php?id=CVE-2024-1397
12 Mar 2024 — The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's blocks in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping on the 'titleTag' user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento HT Mega – Absolute... • https://plugins.trac.wordpress.org/browser/ht-mega-for-elementor/tags/2.4.4/htmega-blocks/src/blocks/accordion-card/index.php#L17 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •