CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3779 – Essential Addons For Elementor <=5.8.1 - Unauthenticated MailChimp API Key Disclosure
https://notcve.org/view.php?id=CVE-2023-3779
The Essential Addons For Elementor plugin for WordPress is vulnerable to unauthenticated API key disclosure in versions up to, and including, 5.8.1 due to the plugin adding the API key to the source code of any page running the MailChimp block. This makes it possible for unauthenticated attackers to obtain a site's MailChimp API key. We recommend resetting any MailChimp API keys if running a vulnerable version of this plugin with the MailChimp block enabled as the API key may have been compromised. This only affects sites running the premium version of the plugin and that have the Mailchimp block enabled on a page. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2938177%40essential-addons-for-elementor-lite&new=2938177%40essential-addons-for-elementor-lite&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/e007c713-74bc-4ff5-a198-70dcc8a8ee68?source=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32241 – WordPress Essential Addons for Elementor Pro Plugin <= 5.4.8 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-32241
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPDeveloper Essential Addons for Elementor Pro plugin <= 5.4.8 versions. The Essential Addons for Elementor Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 5.4.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/essential-addons-elementor/wordpress-essential-addons-for-elementor-pro-plugin-5-4-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32245 – WordPress Essential Addons for Elementor Pro Plugin <= 5.4.8 is vulnerable to Server Side Request Forgery (SSRF)
https://notcve.org/view.php?id=CVE-2023-32245
Cross-Site Request Forgery (CSRF) vulnerability in WPDeveloper Essential Addons for Elementor Pro.This issue affects Essential Addons for Elementor Pro: from n/a through 5.4.8. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en WPDeveloper Essential Addons para Elementor Pro. Este problema afecta a Essential Addons para Elementor Pro: desde n/a hasta 5.4.8. The Essential Addons for Elementor Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 5.4.8. This can allow unauthenticated attackers to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services. • https://patchstack.com/database/vulnerability/essential-addons-elementor/wordpress-essential-addons-for-elementor-pro-plugin-5-4-8-unauthenticated-server-side-request-forgery-ssrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-0683 – Essential Addons for Elementor Lite <= 5.0.8 Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-0683
The Essential Addons for Elementor Lite WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the settings parameter found in the ~/includes/Traits/Helper.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted link by an attacker. This affects versions up to and including 5.0.8. El plugin Essential Addons for Elementor Lite de WordPress es vulnerable a Cross-Site Scripting debido a un escape y saneo insuficientes del parámetro settings encontrado en el archivo ~/includes/Traits/Helper.php que permite a atacantes inyectar scripts web arbitrarios en una página que es ejecutado cada vez que un usuario hace clic en un enlace especialmente diseñado por un atacante. Esto afecta a versiones hasta 5.0.8 incluyéndola • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2680585%40essential-addons-for-elementor-lite&new=2680585%40essential-addons-for-elementor-lite&sfp_email=&sfph_mail= https://www.wordfence.com/vulnerability-advisories/#CVE-2022-0683 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-0320 – Essential Addons for Elementor < 5.0.5 - Unauthenticated LFI
https://notcve.org/view.php?id=CVE-2022-0320
The Essential Addons for Elementor WordPress plugin before 5.0.5 does not validate and sanitise some template data before it them in include statements, which could allow unauthenticated attackers to perform Local File Inclusion attack and read arbitrary files on the server, this could also lead to RCE via user uploaded files or other LFI to RCE techniques. El plugin Essential Addons for Elementor de WordPress versiones anteriores a 5.0.5, no comprueba ni sanea algunos datos de las plantillas antes de incluirlos en las sentencias include, lo que podría permitir a atacantes no autenticados realizar un ataque de inclusión de archivos locales y leer archivos arbitrarios en el servidor, lo que también podría conllevar a un RCE por medio de archivos subidos por el usuario u otras técnicas de LFI a RCE • https://wpscan.com/vulnerability/0d02b222-e672-4ac0-a1d4-d34e1ecf4a95 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •