CVE-2024-8913 – The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 5.6.11 - Authenticated (Contributor+) Sensitive Information Exposure via content_template
https://notcve.org/view.php?id=CVE-2024-8913
The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.6.11 via the render function in modules/widgets/tp_accordion.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data. • https://www.wordfence.com/threat-intel/vulnerabilities/id/46126f88-416a-4430-8596-12f72cd2c1e7?source=cve https://plugins.trac.wordpress.org/changeset/3165763/the-plus-addons-for-elementor-page-builder • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2024-5583 – The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 5.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonials Widget Settings
https://notcve.org/view.php?id=CVE-2024-5583
The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the carousel_direction parameter of testimonials widget in all versions up to, and including, 5.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/5.5.6/modules/widgets/tp_testimonial_listout.php#L2284 https://www.wordfence.com/threat-intel/vulnerabilities/id/55981e72-8d1a-4075-a372-6bddc95e99d8?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-5763 – The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 5.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Video Widget
https://notcve.org/view.php?id=CVE-2024-5763
The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the video_date attribute within the plugin's Video widget in all versions up to, and including, 5.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/5.5.6/modules/widgets/tp_video_player.php?rev=3094329#L1351 https://plugins.trac.wordpress.org/changeset/3136509 https://wordpress.org/plugins/the-plus-addons-for-elementor-page-builder/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/4eaf4c05-9393-4e44-abd1-8f529b7848b5?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-6575 – The Plus Addons for Elementor <= 5.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via TP Page Scroll Widget
https://notcve.org/view.php?id=CVE-2024-6575
The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘res_width_value’ parameter within the plugin's tp_page_scroll widget in all versions up to, and including, 5.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/trunk/modules/widgets/tp_page_scroll.php#L1017 https://plugins.trac.wordpress.org/changeset/3136509 https://wordpress.org/plugins/the-plus-addons-for-elementor-page-builder/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/71d8a8cf-4653-4515-95ce-8d71697e189c?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-4983 – The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 5.6.0- Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-4983
The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘video_color’ parameter in all versions up to, and including, 5.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Los complementos Plus para Elementor: Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce complemento para WordPress son vulnerables a Cross Site Scripting Almacenado a través del parámetro 'video_color' en todas las versiones hasta la 5.6.0 incluida debido a la sanitización de entrada y escape de salida insuficiente. Esto hace posible que atacantes autenticados, con acceso de nivel de Colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/5.5.3/modules/widgets/tp_video_player.php#L1302 https://plugins.trac.wordpress.org/changeset/3107776 https://www.wordfence.com/threat-intel/vulnerabilities/id/e3f0a20b-d572-4040-b5b6-ede0aec4e2b0?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •