Ultimate Addons for Elementor < 1.30.0 – Contributor+ Stored XSS | CVE 2021-24271 | Plugin Vulnerabilities

Description

The “Ultimate Addons for Elementor” WordPress Plugin before 1.30.0 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.

These vulnerabilities were discovered and patched by Brainstorm Force after the Wordfence Threat Intelligence team notified them of similar vulnerabilities in their " Elementor – Header, Footer & Blocks Template" plugin, and are nearly identical to the vulnerabilities we have recently disclosed in the main Elementor plugin: https://www.wordfence.com/blog/2021/03/cross-site-scripting-vulnerabilities-in-elementor-impact-over-7-million-sites/

Affects Plugins

ultimate-elementor

Fixed in 1.30.0

References

CVE

URL

https://www.wordfence.com/blog/2021/04/recent-patches-rock-the-elementor-ecosystem/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Ramuel Gall

Submitter

Ramuel Gall

Submitter twitter

Verified

Yes

WPVDB ID

1ce8e188-6ded-413e-b4d1-bf80258acf79

Timeline

Publicly Published

2021-04-13 (about 3 years ago)

Added

2021-04-14 (about 3 years ago)

Last Updated

2021-04-18 (about 3 years ago)

Other

Published

Title

Published

2024-03-19

Title

Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates < 4.5.4 - Contributor+ Stored XSS

Published

2023-01-27

Title

Booking calendar, Appointment Booking System < 3.2.4 - Editor+ Stored XSS

Published

2014-08-01

Title

S3 Video <= 0.97 - VideoJS Cross Site Scripting

Published

2014-08-01

Title

Backend Localization 1.6.1 - options-general.php kau-boys_backend_localization_language Parameter XSS

Published

2023-03-22

Title

InPost Gallery < 2.1.4.2 - Reflected XSS