CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0334 – Jeg Elementor Kit <= 2.6.4 - Authenticated (Contributor+) Cross-Site Scripting via Elementor Widget URL Custom Attributes
https://notcve.org/view.php?id=CVE-2024-0334
The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom attribute of a link in several Elementor widgets in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Jeg Elementor Kit para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del atributo personalizado de un enlace en varios widgets de Elementor en todas las versiones hasta la 2.6.4 incluida debido a una sanitización de entrada insuficiente y a un escape de salida en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/changeset/3077328/jeg-elementor-kit https://www.wordfence.com/threat-intel/vulnerabilities/id/950e9042-1364-4200-8f57-171346075764?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3161 – Jeg Elementor Kit <= 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
https://notcve.org/view.php?id=CVE-2024-3161
The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the countdown widget's attributes in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Jeg Elementor Kit para WordPress es vulnerable a Cross-Site Scripting Almacenado a través de los atributos del widget de cuenta regresiva en todas las versiones hasta la 2.6.4 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de colaborador o superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/browser/jeg-elementor-kit/trunk/assets/js/elements/countdown.js#L93 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3077328%40jeg-elementor-kit%2Ftrunk&old=3062484%40jeg-elementor-kit%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/48a13fb7-bf1a-4bf2-ac3b-3b5a75fec616?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3819 – Jeg Elementor Kit <= 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via JKit - Banner
https://notcve.org/view.php?id=CVE-2024-3819
The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's JKit - Banner widget in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Jeg Elementor Kit para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del widget JKit - Banner del complemento en todas las versiones hasta la 2.6.4 incluida debido a una sanitización de entrada insuficiente y a un escape de salida en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/browser/jeg-elementor-kit/tags/2.6.4/class/elements/views/class-banner-view.php#L55 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3077328%40jeg-elementor-kit&new=3077328%40jeg-elementor-kit&sfp_email=&sfph_mail=#file565 https://www.wordfence.com/threat-intel/vulnerabilities/id/46868a11-0c82-4bd3-82b5-9a19a5a0cef1?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1327 – Jeg Elementor Kit <= 2.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Box
https://notcve.org/view.php?id=CVE-2024-1327
The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's image box widget in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Jeg Elementor Kit para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del widget de cuadro de imagen del complemento en todas las versiones hasta la 2.6.3 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados con permisos de nivel de colaborador y superiores inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/browser/jeg-elementor-kit/tags/2.6.2/class/elements/views/class-view-abstract.php#L123 https://www.wordfence.com/threat-intel/vulnerabilities/id/34a42180-9d08-4049-8da8-27ee1f64600a?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3162 – Jeg Elementor Kit <= 2.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonial
https://notcve.org/view.php?id=CVE-2024-3162
The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Testimonial Widget Attributes in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Jeg Elementor Kit para WordPress es vulnerable a Cross-Site Scripting Almacenado a través de los atributos del widget de testimonios en todas las versiones hasta la 2.6.3 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de colaborador o superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Testimonial Widget Attributes in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. • https://plugins.trac.wordpress.org/changeset/3062484 https://www.wordfence.com/threat-intel/vulnerabilities/id/d54c7623-25af-4bf1-a6e0-9022ec26f391?source=cve • CWE-87: Improper Neutralization of Alternate XSS Syntax •