CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-18379 – Elementor Pro <= 2.0.9 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-18379
The elementor-edit-template class in wp-admin/customize.php in the Elementor Pro plugin before 2.0.10 for WordPress has XSS. La clase elementor-edit-template en el archivo wp-admin/customize.php en el plugin Elementor Pro versiones anteriores a 2.0.10 para WordPress, presenta una vulnerabilidad de tipo XSS. • https://elementor.com/blog https://www.contextis.com/en/resources/advisories/cve-2018-18379 https://www.contextis.com/resources/advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18596 – Elementor Website Builder <= 1.7.12 - Missing Authorization
https://notcve.org/view.php?id=CVE-2017-18596
The elementor plugin before 1.8.0 for WordPress has incorrect access control for internal functions. El plugin elementor versiones anteriores a 1.8.0 para WordPress, presenta un control de acceso incorrecto para las funciones internas. The Elementor Website Builder plugin for WordPress is vulnerable to missing authorization in versions up to, and including, 1.7.12. This is due to many AJAX actions being accessible to all logged-in users due to a lack of capability checks on the associated functions. This makes it possible for authenticated attackers to gain otherwise restricted access to backend functions and perform actions like editing posts and importing/exporting content. • https://wordpress.org/plugins/elementor/#developers https://wpvulndb.com/vulnerabilities/8965 • CWE-269: Improper Privilege Management CWE-862: Missing Authorization •