CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41236 – WordPress Happy Elementor Addons Pro Plugin <= 2.8.0 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-41236
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Happy addons Happy Elementor Addons Pro plugin <= 2.8.0 versions. Vulnerabilidad de Cross-Site Scripting (XSS) Reflejada No Autenticada en Happy addons del complemento Happy Elementor Addons Pro en versiones <= 2.8.0. The Happy Elementor Addons Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in versions up to, and including, 2.8.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/happy-elementor-addons-pro/wordpress-happy-elementor-addons-pro-plugin-2-8-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28989 – WordPress Happy Addons for Elementor Plugin <= 3.8.2 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-28989
Cross-Site Request Forgery (CSRF) vulnerability in weDevs Happy Addons for Elementor plugin <= 3.8.2 versions. The Happy Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.8.2. This is due to missing nonce validation on the handle_optin_optout() function. This makes it possible for unauthenticated attackers to modify optin and optout settings, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/happy-elementor-addons/wordpress-happy-addons-for-elementor-plugin-3-8-2-cross-site-request-forgery-csrf-on-collect-data-popup?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 1CVE-2021-24292 – Happy Addons for Elementor Free < 2.24.0 and Pro < 1.17.0 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2021-24292
The Happy Addons for Elementor WordPress plugin before 2.24.0, Happy Addons Pro for Elementor WordPress plugin before 1.17.0 have a number of widgets that are vulnerable to stored Cross-Site Scripting(XSS) by lower-privileged users such as contributors, all via a similar method: The “Card” widget accepts a “title_tag” parameter. Although the element control lists a fixed set of possible html tags, it is possible to send a ‘save_builder’ request with the “heading_tag” set to “script”, and the actual “title” parameter set to JavaScript to be executed within the script tags added by the “heading_tag” parameter. El plugin Happy Addons para Elementor WordPress versiones anteriores a 2.24.0, el plugin Happy Addons Pro para Elementor WordPress versiones anteriores a 1.17.0, presentan una serie de widgets que son vulnerables a un ataque de tipo Cross-Site Scripting (XSS) almacenado por usuarios pocos privilegiados, como contribuyentes, todos por medio de un método similar: el widget "Card" acepta un parámetro "title_tag". Aunque el control de elementos enumera un conjunto fijo de posibles etiquetas html, es posible enviar una petición "save_builder" con el "header_tag" ajustado en "script" y el parámetro "title" real ajustado en JavaScript para que sea ejecutado dentro del script. etiquetas agregadas por el parámetro "header_tag" • https://wpscan.com/vulnerability/0f20e098-8106-451f-9448-d35a79f03077 https://www.wordfence.com/blog/2021/04/recent-patches-rock-the-elementor-ecosystem • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •