Essential Addons for Elementor < 4.5.4 - Contributor+ Stored Cross-Site Scripting (XSS)

Description

The Essential Addons for Elementor Lite WordPress Plugin before 4.5.4 has two widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, both via a similar method.

The “Progress Bar” widget accepts a “progress_bar_title_html_tag” parameter. Although the element control lists a fixed set of possible html tags, it is possible to send a ‘save_builder’ request containing JavaScript in the “progress_bar_title_html_tag” parameter, which is not filtered and is output without escaping. This JavaScript will then be executed when the saved page is viewed or previewed.

The “Woo Product Compare” widget accepts a “table_title_tag” parameter. Although the element control lists a fixed set of possible html tags, it is possible to send a ‘save_builder’ request containing JavaScript in the “table_title_tag” parameter, which is not filtered and is output without escaping. This JavaScript will then be executed when the saved page is viewed or previewed.

Additionally, the following widgets also allow JavaScript to be inserted via the following parameters:
advanced accordion:eael_adv_accordion_title_tag
Creative button:creative_button_text
Dual Color Header: title_tag, eael_dch_subtext
Fancy text: eael_fancy_text_color_selector
Filterable Gallery: eael_fg_all_label_text, title_tag
Flipbox: eael_flipbox_front_title_tag

These vulnerabilities are nearly identical to the vulnerabilities we have recently disclosed in the main Elementor plugin: https://www.wordfence.com/blog/2021/03/cross-site-scripting-vulnerabilities-in-elementor-impact-over-7-million-sites/