CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3779 – Essential Addons For Elementor <=5.8.1 - Unauthenticated MailChimp API Key Disclosure
https://notcve.org/view.php?id=CVE-2023-3779
The Essential Addons For Elementor plugin for WordPress is vulnerable to unauthenticated API key disclosure in versions up to, and including, 5.8.1 due to the plugin adding the API key to the source code of any page running the MailChimp block. This makes it possible for unauthenticated attackers to obtain a site's MailChimp API key. We recommend resetting any MailChimp API keys if running a vulnerable version of this plugin with the MailChimp block enabled as the API key may have been compromised. This only affects sites running the premium version of the plugin and that have the Mailchimp block enabled on a page. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2938177%40essential-addons-for-elementor-lite&new=2938177%40essential-addons-for-elementor-lite&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/e007c713-74bc-4ff5-a198-70dcc8a8ee68?source=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32241 – WordPress Essential Addons for Elementor Pro Plugin <= 5.4.8 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-32241
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPDeveloper Essential Addons for Elementor Pro plugin <= 5.4.8 versions. The Essential Addons for Elementor Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 5.4.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/essential-addons-elementor/wordpress-essential-addons-for-elementor-pro-plugin-5-4-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32245 – WordPress Essential Addons for Elementor Pro Plugin <= 5.4.8 is vulnerable to Server Side Request Forgery (SSRF)
https://notcve.org/view.php?id=CVE-2023-32245
Cross-Site Request Forgery (CSRF) vulnerability in WPDeveloper Essential Addons for Elementor Pro.This issue affects Essential Addons for Elementor Pro: from n/a through 5.4.8. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en WPDeveloper Essential Addons para Elementor Pro. Este problema afecta a Essential Addons para Elementor Pro: desde n/a hasta 5.4.8. The Essential Addons for Elementor Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 5.4.8. This can allow unauthenticated attackers to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services. • https://patchstack.com/database/vulnerability/essential-addons-elementor/wordpress-essential-addons-for-elementor-pro-plugin-5-4-8-unauthenticated-server-side-request-forgery-ssrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.8EPSS: 17%CPEs: 1EXPL: 7CVE-2023-32243 – WordPress Essential Addons for Elementor Plugin 5.4.0-5.7.1 is vulnerable to Privilege Escalation
https://notcve.org/view.php?id=CVE-2023-32243
Improper Authentication vulnerability in WPDeveloper Essential Addons for Elementor allows Privilege Escalation. This issue affects Essential Addons for Elementor: from 5.4.0 through 5.7.1. The Essential Addons for Elementor plugin for WordPress is vulnerable to Unauthenticated Arbitrary Password Resets to Privilege Escalation in versions up to, and including, 5.7.1. This is due to a lack of validation of a password reset key in the reset_password function. This makes it possible for unauthenticated attackers to reset the password of any user on a vulnerable site, including an administrator, if they have the email or username of the targeted account. • https://github.com/gbrsh/CVE-2023-32243 https://github.com/RandomRobbieBF/CVE-2023-32243 https://github.com/Jenderal92/WP-CVE-2023-32243 https://github.com/shaoyu521/Mass-CVE-2023-32243 https://github.com/YouGina/CVE-2023-32243 http://packetstormsecurity.com/files/172457/WordPress-Elementor-Lite-5.7.1-Arbitrary-Password-Reset.html https://patchstack.com/articles/critical-privilege-escalation-in-essential-addons-for-elementor-plugin-affecting-1-million-sites?_s_id=cve https://patchstack.com/datab • CWE-287: Improper Authentication CWE-620: Unverified Password Change •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-0683 – Essential Addons for Elementor Lite <= 5.0.8 Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-0683
The Essential Addons for Elementor Lite WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the settings parameter found in the ~/includes/Traits/Helper.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted link by an attacker. This affects versions up to and including 5.0.8. El plugin Essential Addons for Elementor Lite de WordPress es vulnerable a Cross-Site Scripting debido a un escape y saneo insuficientes del parámetro settings encontrado en el archivo ~/includes/Traits/Helper.php que permite a atacantes inyectar scripts web arbitrarios en una página que es ejecutado cada vez que un usuario hace clic en un enlace especialmente diseñado por un atacante. Esto afecta a versiones hasta 5.0.8 incluyéndola • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2680585%40essential-addons-for-elementor-lite&new=2680585%40essential-addons-for-elementor-lite&sfp_email=&sfph_mail= https://www.wordfence.com/vulnerability-advisories/#CVE-2022-0683 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •