Premium Addons for Elementor < 4.2.8 - Contributor+ Stored Cross-Site Scripting (XSS)

Description

The “Premium Addons for Elementor” WordPress Plugin before 4.2.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.

The “Testimonials” widget accepts a “premium_testimonial_person_name_size” parameter. Although the element control lists a fixed set of possible html tags and this parameter is processed by wp_kses, it is possible to send a ‘save_builder’ request with the “premium_testimonial_person_name_size” set to an externally sourced JavaScript, e.g. “script+src=\"https://ramgall.com/alertscript.js\"”
This JavaScript is not filtered out by wp_kses and will then be executed when the saved page is viewed or previewed. The “premium_testimonial_company_name_size” parameter appears to be vulnerable to the same exploit.

We’ve verified that the Premium Blog widget is similarly vulnerable via the "premium_blog_title_tag" parameter, and the following widgets are likely also vulnerable to similar exploits:
Premium Banner: “premium_banner_title_tag” parameter
Premium Dual Header:”premium_dual_header_first_header_tag” parameter
Premium Persion: “premium_person_name_heading” and “premium_person_title_heading”
Premium Pricing Table: “premium_pricing_table_title_size”
Premium Title: “premium_title_tag”

These vulnerabilities are nearly identical to the vulnerabilities we have recently disclosed in the main Elementor plugin: https://www.wordfence.com/blog/2021/03/cross-site-scripting-vulnerabilities-in-elementor-impact-over-7-million-sites/