CVE-2023-23683 – WordPress White Label Branding for Elementor Page Builder Plugin <= 1.0.2 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-23683
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Ozan Canakli White Label Branding for Elementor Page Builder plugin <= 1.0.2 versions. The White Label Branding for Elementor Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled. • https://patchstack.com/database/vulnerability/white-label-branding-elementor/wordpress-white-label-branding-for-elementor-page-builder-plugin-1-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-13864 – Elementor Website Builder <= 2.9.8 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-13864
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links. El plugin Elementor Page Builder versiones anteriores a 2.9.9 para WordPress, sufre de una vulnerabilidad de tipo XSS almacenado. Un usuario autor puede crear publicaciones que resulten en un ataque de tipo XSS almacenado mediante el uso de una carga útil diseñada en enlaces personalizados The Elementor Website Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links. • https://www.softwaresecured.com/elementor-page-builder-stored-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-13865 – Elementor Website Builder <= 2.9.8 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-13865
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes. El plugin Elementor Page Builder versiones anteriores a 2.9.9 para WordPress, sufre de múltiples vulnerabilidades de tipo XSS almacenado. Un usuario autor puede crear publicaciones que resulten en vulnerabilidades de tipo XSS almacenado, mediante el uso de un enlace diseñado en la URL personalizada o mediante la aplicación de atributos personalizados The Elementor Website Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes. • https://www.softwaresecured.com/elementor-page-builder-stored-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-13126 – Elementor Pro <= 2.9.3 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2020-13126
An issue was discovered in the Elementor Pro plugin before 2.9.4 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13125. An attacker with the Subscriber role can upload arbitrary executable files to achieve remote code execution. NOTE: the free Elementor plugin is unaffected. Se detectó un problema en el plugin Elementor Pro versiones anteriores a 2.9.4 para WordPress, como se explotó "in the wild" en Mayo de 2020, en conjunto con CVE-2020-13125. Un atacante con el rol Subscriber puede cargar archivos ejecutables arbitrarios para lograr una ejecución de código remota. • https://wpvulndb.com/vulnerabilities/10214 https://www.wordfence.com/blog/2020/05/combined-attack-on-elementor-pro-and-ultimate-addons-for-elementor-puts-1-million-sites-at-risk • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2020-20406 – Elementor Website Builder <= 2.9.2 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-20406
A stored XSS vulnerability exists in the Custom Link Attributes control Affect function in Elementor Page Builder 2.9.2 and earlier versions. It is caused by inadequate filtering on the link custom attributes. Se presenta una vulnerabilidad de tipo XSS almacenado en la función Afectada de control de Custom Link Attributes en Elementor Page Builder versiones 2.9.2 y anteriores. Es debido a un filtrado inadecuado de los atributos personalizados del enlace • https://wordpress.org/plugins/elementor/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •