CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15020 – Elementor Website Builder <= 2.9.13 - Authenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-15020
An issue was discovered in the Elementor plugin through 2.9.13 for WordPress. An authenticated attacker can achieve stored XSS via the Name Your Template field. Se detectó un problema en el plugin Elementor versiones hasta 2.9.13 para WordPress. Un atacante autenticado puede lograr un ataque de tipo XSS almacenado por medio del campo Name Your Template • http://hidden-one.co.in/2020/07/07/cve-2020-1020-stored-xss-on-elementor-wordpress-plugin https://wordpress.org/plugins/elementor/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-36703 – Elementor Website Builder <= 2.9.7 - Authenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-36703
The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG image uploads in versions up to, and including 2.9.7 This makes it possible for authenticated attackers with the upload_files capability to inject arbitrary web scripts in pages that will execute whenever a user accesses the page with the stored web scripts. • https://blog.nintechnet.com/wordpress-elementor-plugin-fixed-svg-xss-protection-bypass-vulnerability https://www.wordfence.com/threat-intel/vulnerabilities/id/42db52ae-f881-4082-b475-8577a28641c6?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-20634 – Elementor Website Builder <= 2.9.5 - Authorization Bypass
https://notcve.org/view.php?id=CVE-2020-20634
Elementor 2.9.5 and below WordPress plugin allows authenticated users to activate its safe mode feature. This can be exploited to disable all security plugins on the blog. El plugin de WordPress Elementor versiones 2.9.5 y anteriores, permite a usuarios autenticados activar su funcionalidad de modo seguro. Esto puede ser explotado para deshabilitar todos los plugin de seguridad en el blog. • https://blog.nintechnet.com/wordpress-elementor-plugin-fixed-safe-mode-privilege-escalation-vulnerability • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-8426 – Elementor Website Builder <= 2.8.4 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-8426
The Elementor plugin before 2.8.5 for WordPress suffers from a reflected XSS vulnerability on the elementor-system-info page. These can be exploited by targeting an authenticated user. El plugin Elementor versiones anteriores a 2.8.5 para WordPress, sufre de una vulnerabilidad de tipo XSS reflejado en la página elementor-system-info. Estos pueden ser explotados al apuntar a un usuario autenticado. • https://blog.impenetrable.tech/xss-in-wordpress-elementor-plugin https://wordpress.org/plugins/elementor/#developers https://wpvulndb.com/vulnerabilities/10051 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-7109 – Elementor Website Builder <= 2.8.3 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-7109
The Elementor Page Builder plugin before 2.8.4 for WordPress does not sanitize data during creation of a new template. El plugin Elementor Page Builder versiones anteriores a 2.8.4 para WordPress, no sanea los datos durante la creación de una nueva plantilla. • https://wordpress.org/plugins/elementor/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •