CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1387 – Happy Addons for Elementor <= 3.10.4 - Incorrect Authorization to Information Exposure
https://notcve.org/view.php?id=CVE-2024-1387
The Happy Addons for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to insufficient authorization on the duplicate_thing() function in all versions up to, and including, 3.10.4. This makes it possible for attackers, with contributor-level access and above, to clone arbitrary posts (including private and password protected ones) which may lead to information exposure. El complemento Happy Addons for Elementor para WordPress es vulnerable al acceso no autorizado a los datos debido a una autorización insuficiente en la función duplicate_thing() en todas las versiones hasta la 3.10.4 incluida. Esto hace posible que los atacantes, con acceso de nivel de colaborador y superior, clonen publicaciones arbitrarias (incluidas las privadas y protegidas con contraseña), lo que puede provocar la exposición de la información. • https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/classes/clone-handler.php#L58 https://plugins.trac.wordpress.org/changeset/3064385/happy-elementor-addons/trunk/classes/clone-handler.php?contextall=1&old=3044937&old_path=%2Fhappy-elementor-addons%2Ftrunk%2Fclasses%2Fclone-handler.php https://www.wordfence.com/threat-intel/vulnerabilities/id/aff10d5a-a2d0-461a-b52b-a25b647eaab4?source=cve • CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2786 – Happy Addons for Elementor <= 3.10.4 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via title_tag
https://notcve.org/view.php?id=CVE-2024-2786
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 3.10.4 due to insufficient input sanitization and output escaping on the title_tag attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Happy Addons para Elementor para WordPress es vulnerable a Cross-Site Scripting Almacenado a través de varios widgets en todas las versiones hasta la 3.10.4 incluida debido a una sanitización de entrada insuficiente y a un escape de salida en el atributo title_tag. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.10.4/widgets/card/widget.php#L1216 https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.10.4/widgets/gradient-heading/widget.php#L260 https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.10.4/widgets/gradient-heading/widget.php#L262 https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.10.4/widgets/review/widget.php#L821 https://plugins.trac.wordpress.org/changeset?s • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1498 – Happy Addons for Elementor <= 3.10.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Photo Stack Widget
https://notcve.org/view.php?id=CVE-2024-1498
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Photo Stack Widget in all versions up to, and including, 3.10.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Happy Addons para Elementor para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del widget Photo Stack del complemento en todas las versiones hasta la 3.10.3 incluida debido a una sanitización de entrada insuficiente y a un escape de salida en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados con permisos de nivel de colaborador y superiores inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.10.2/widgets/photo-stack/widget.php#L598 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3044937%40happy-elementor-addons%2Ftrunk&old=3042474%40happy-elementor-addons%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/f43e1eed-09f8-44b3-b6fa-d0344f331dd7?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2788 – Happy Addons for Elementor <= 3.10.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title HTML Tag
https://notcve.org/view.php?id=CVE-2024-2788
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Title HTML Tag in all versions up to, and including, 3.10.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Happy Addons para Elementor para WordPress es vulnerable a Cross-Site Scripting Almacenado a través de la etiqueta HTML del título de la publicación en todas las versiones hasta la 3.10.4 incluida debido a una sanitización de entrada insuficiente y a un escape de salida en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Title HTML Tag in all versions up to, and including, 3.10.4 due to insufficient input sanitization and output escaping on user supplied attributes. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3064385%40happy-elementor-addons%2Ftrunk&old=3044937%40happy-elementor-addons%2Ftrunk&sfp_email=&sfph_mail=#file13 https://www.wordfence.com/threat-intel/vulnerabilities/id/73e4ec2f-f4e1-469d-a4b7-5a10d44b7a2f?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1366 – Happy Addons for Elementor <= 3.10.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Archive Title Widget
https://notcve.org/view.php?id=CVE-2024-1366
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘archive_title_tag’ attribute of the Archive Title widget in all versions up to, and including, 3.10.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Happy Addons para Elementor para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del atributo 'archive_title_tag' del widget Título del archivo en todas las versiones hasta la 3.10.3 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/changeset/3044937/happy-elementor-addons https://www.wordfence.com/threat-intel/vulnerabilities/id/08208cb1-2d57-49f9-8ac7-b59caa0cf5fa?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •