CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-24271 – Ultimate Addons for Elementor < 1.30.0 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2021-24271
The “Ultimate Addons for Elementor” WordPress Plugin before 1.30.0 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. El Plugin de WordPress "Ultimate Addons for Elementor" versiones anteriores a 1.30.0, presenta varios widgets que son vulnerables a un ataque de tipo Cross-Site Scripting (XSS) almacenado por usuarios con menos privilegios, como los contribuyentes, todo por medio de un método similar The Ultimate Addons for Elementor WordPress Plugin before 1.30.0 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. • https://wpscan.com/vulnerability/1ce8e188-6ded-413e-b4d1-bf80258acf79 https://www.wordfence.com/blog/2021/04/recent-patches-rock-the-elementor-ecosystem • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2020-13125 – Ultimate Addons for Elementor <= 1.24.1 - Registration Bypass
https://notcve.org/view.php?id=CVE-2020-13125
An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if registration is disabled. Se detectó un problema en el plugin "Ultimate Addons for Elementor" versiones anteriores a 1.24.2 para WordPress, como se explotó "in the wild" en Mayo de 2020, en conjunto con CVE-2020-13126. Los atacantes no autenticados pueden crear usuarios con el rol Subscriber incluso si el registro está deshabilitado. • https://wpvulndb.com/vulnerabilities/10214 https://www.wordfence.com/blog/2020/05/combined-attack-on-elementor-pro-and-ultimate-addons-for-elementor-puts-1-million-sites-at-risk • CWE-286: Incorrect User Management •