Prime Slider – Addons For Elementor < 3.13.3 – Contributor+ Stored Cross-Site Scripting via Mercury Widget | CVE 2024-1508 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the 'settings['title_tags']' attribute of the Mercury widget in all versions up to, and including, 3.13.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

bdthemes-prime-slider-lite

Fixed in 3.13.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/7da00af0-edd1-4c39-ae33-a0dc21bd25a2

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

RandomRoot

Verified

No

WPVDB ID

714cf448-055a-49de-a2e6-2b73be364c7e

Timeline

Publicly Published

2024-03-12 (about 2 months ago)

Added

2024-03-13 (about 2 months ago)

Last Updated

2024-03-13 (about 2 months ago)

Other

Published

Title

Published

2019-12-02

Title

CSS Hero < 4.07 - Authenticated Reflected XSS

Published

2022-06-20

Title

Analytify < 4.2.1 - Reflected Cross-Site Scripting

Published

2020-02-17

Title

Fruitful Theme < 3.8.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)

Published

2015-05-30

Title

Social Media & Share Icons <= 1.1.1.11 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2017-02-19

Title

Time Sheets < 1.5.2 - Multiple XSS