Search criteria
6 vulnerabilities found for Rife Elementor Extensions & Templates by Apollo13Themes
CVE-2024-13564 (GCVE-0-2024-13564)
Vulnerability from cvelistv5 – Published: 2025-02-22 08:22 – Updated: 2025-02-24 16:16
VLAI?
Title
Rife Elementor Extensions & Templates <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Writing Effect Headline Shortcode
Summary
The Rife Elementor Extensions & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Writing Effect Headline shortcode in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| apollo13themes | Rife Elementor Extensions & Templates |
Affected:
* , ≤ 1.2.5
(semver)
|
Credits
D.Sim
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13564",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-24T16:15:03.421234Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-24T16:16:52.388Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Rife Elementor Extensions \u0026 Templates",
"vendor": "apollo13themes",
"versions": [
{
"lessThanOrEqual": "1.2.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "D.Sim"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Rife Elementor Extensions \u0026 Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s Writing Effect Headline shortcode in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-22T08:22:06.341Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/520555b4-35e8-4ec1-85b8-3a43b5209661?source=cve"
},
{
"url": "https://wordpress.org/plugins/rife-elementor-extensions/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3244081"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-21T19:51:18.000+00:00",
"value": "Disclosed"
}
],
"title": "Rife Elementor Extensions \u0026 Templates \u003c= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Writing Effect Headline Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13564",
"datePublished": "2025-02-22T08:22:06.341Z",
"dateReserved": "2025-01-21T01:56:41.257Z",
"dateUpdated": "2025-02-24T16:16:52.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-27454 (GCVE-0-2023-27454)
Vulnerability from cvelistv5 – Published: 2024-12-09 11:31 – Updated: 2024-12-09 15:30
VLAI?
Title
WordPress Rife Elementor Extensions & Templates plugin <= 1.1.10 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in Apollo13Themes Rife Elementor Extensions & Templates allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rife Elementor Extensions & Templates: from n/a through 1.1.10.
Severity ?
5.4 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apollo13Themes | Rife Elementor Extensions & Templates |
Affected:
n/a , ≤ 1.1.10
(custom)
|
Credits
István Márton (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-27454",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-09T15:30:32.803326Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T15:30:45.768Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "rife-elementor-extensions",
"product": "Rife Elementor Extensions \u0026 Templates",
"vendor": "Apollo13Themes",
"versions": [
{
"changes": [
{
"at": "1.2.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.1.10",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Istv\u00e1n M\u00e1rton (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in Apollo13Themes Rife Elementor Extensions \u0026 Templates allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects Rife Elementor Extensions \u0026 Templates: from n/a through 1.1.10.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Apollo13Themes Rife Elementor Extensions \u0026 Templates allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rife Elementor Extensions \u0026 Templates: from n/a through 1.1.10."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T11:31:22.785Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/rife-elementor-extensions/vulnerability/wordpress-rife-elementor-extensions-templates-plugin-1-1-10-broken-access-control?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Rife Elementor Extensions \u0026 Templates plugin to the latest available version (at least 1.2.0)."
}
],
"value": "Update the WordPress Rife Elementor Extensions \u0026 Templates plugin to the latest available version (at least 1.2.0)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Rife Elementor Extensions \u0026 Templates plugin \u003c= 1.1.10 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-27454",
"datePublished": "2024-12-09T11:31:22.785Z",
"dateReserved": "2023-03-01T14:31:56.747Z",
"dateUpdated": "2024-12-09T15:30:45.768Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5504 (GCVE-0-2024-5504)
Vulnerability from cvelistv5 – Published: 2024-07-02 07:37 – Updated: 2024-08-01 21:18
VLAI?
Title
Rife Elementor Extensions & Templates <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Writing Effect Headline Widget
Summary
The Rife Elementor Extensions & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' attribute within the plugin's Writing Effect Headline widget in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| apollo13themes | Rife Elementor Extensions & Templates |
Affected:
* , ≤ 1.2.1
(semver)
|
Credits
wesley
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5504",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-06T03:06:13.291754Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-06T03:06:23.535Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:18:05.354Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2bc0b654-5174-41bc-9e8a-40257ceb7ded?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/rife-elementor-extensions/trunk/includes/elementor/widgets/writing-effect-headline.php#L264"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3109903/#file1"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/rife-elementor-extensions/#developers"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Rife Elementor Extensions \u0026 Templates",
"vendor": "apollo13themes",
"versions": [
{
"lessThanOrEqual": "1.2.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Rife Elementor Extensions \u0026 Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027tag\u0027 attribute within the plugin\u0027s Writing Effect Headline widget in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T07:37:03.053Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2bc0b654-5174-41bc-9e8a-40257ceb7ded?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/rife-elementor-extensions/trunk/includes/elementor/widgets/writing-effect-headline.php#L264"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3109903/#file1"
},
{
"url": "https://wordpress.org/plugins/rife-elementor-extensions/#developers"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-01T19:26:57.000+00:00",
"value": "Disclosed"
}
],
"title": "Rife Elementor Extensions \u0026 Templates \u003c= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Writing Effect Headline Widget"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-5504",
"datePublished": "2024-07-02T07:37:03.053Z",
"dateReserved": "2024-05-29T21:17:02.171Z",
"dateUpdated": "2024-08-01T21:18:05.354Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13564 (GCVE-0-2024-13564)
Vulnerability from nvd – Published: 2025-02-22 08:22 – Updated: 2025-02-24 16:16
VLAI?
Title
Rife Elementor Extensions & Templates <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Writing Effect Headline Shortcode
Summary
The Rife Elementor Extensions & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Writing Effect Headline shortcode in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| apollo13themes | Rife Elementor Extensions & Templates |
Affected:
* , ≤ 1.2.5
(semver)
|
Credits
D.Sim
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13564",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-24T16:15:03.421234Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-24T16:16:52.388Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Rife Elementor Extensions \u0026 Templates",
"vendor": "apollo13themes",
"versions": [
{
"lessThanOrEqual": "1.2.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "D.Sim"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Rife Elementor Extensions \u0026 Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s Writing Effect Headline shortcode in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-22T08:22:06.341Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/520555b4-35e8-4ec1-85b8-3a43b5209661?source=cve"
},
{
"url": "https://wordpress.org/plugins/rife-elementor-extensions/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3244081"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-21T19:51:18.000+00:00",
"value": "Disclosed"
}
],
"title": "Rife Elementor Extensions \u0026 Templates \u003c= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Writing Effect Headline Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13564",
"datePublished": "2025-02-22T08:22:06.341Z",
"dateReserved": "2025-01-21T01:56:41.257Z",
"dateUpdated": "2025-02-24T16:16:52.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-27454 (GCVE-0-2023-27454)
Vulnerability from nvd – Published: 2024-12-09 11:31 – Updated: 2024-12-09 15:30
VLAI?
Title
WordPress Rife Elementor Extensions & Templates plugin <= 1.1.10 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in Apollo13Themes Rife Elementor Extensions & Templates allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rife Elementor Extensions & Templates: from n/a through 1.1.10.
Severity ?
5.4 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apollo13Themes | Rife Elementor Extensions & Templates |
Affected:
n/a , ≤ 1.1.10
(custom)
|
Credits
István Márton (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-27454",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-09T15:30:32.803326Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T15:30:45.768Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "rife-elementor-extensions",
"product": "Rife Elementor Extensions \u0026 Templates",
"vendor": "Apollo13Themes",
"versions": [
{
"changes": [
{
"at": "1.2.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.1.10",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Istv\u00e1n M\u00e1rton (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in Apollo13Themes Rife Elementor Extensions \u0026 Templates allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects Rife Elementor Extensions \u0026 Templates: from n/a through 1.1.10.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Apollo13Themes Rife Elementor Extensions \u0026 Templates allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rife Elementor Extensions \u0026 Templates: from n/a through 1.1.10."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T11:31:22.785Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/rife-elementor-extensions/vulnerability/wordpress-rife-elementor-extensions-templates-plugin-1-1-10-broken-access-control?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Rife Elementor Extensions \u0026 Templates plugin to the latest available version (at least 1.2.0)."
}
],
"value": "Update the WordPress Rife Elementor Extensions \u0026 Templates plugin to the latest available version (at least 1.2.0)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Rife Elementor Extensions \u0026 Templates plugin \u003c= 1.1.10 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-27454",
"datePublished": "2024-12-09T11:31:22.785Z",
"dateReserved": "2023-03-01T14:31:56.747Z",
"dateUpdated": "2024-12-09T15:30:45.768Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5504 (GCVE-0-2024-5504)
Vulnerability from nvd – Published: 2024-07-02 07:37 – Updated: 2024-08-01 21:18
VLAI?
Title
Rife Elementor Extensions & Templates <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Writing Effect Headline Widget
Summary
The Rife Elementor Extensions & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' attribute within the plugin's Writing Effect Headline widget in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| apollo13themes | Rife Elementor Extensions & Templates |
Affected:
* , ≤ 1.2.1
(semver)
|
Credits
wesley
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5504",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-06T03:06:13.291754Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-06T03:06:23.535Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:18:05.354Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2bc0b654-5174-41bc-9e8a-40257ceb7ded?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/rife-elementor-extensions/trunk/includes/elementor/widgets/writing-effect-headline.php#L264"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3109903/#file1"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/rife-elementor-extensions/#developers"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Rife Elementor Extensions \u0026 Templates",
"vendor": "apollo13themes",
"versions": [
{
"lessThanOrEqual": "1.2.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Rife Elementor Extensions \u0026 Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027tag\u0027 attribute within the plugin\u0027s Writing Effect Headline widget in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T07:37:03.053Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2bc0b654-5174-41bc-9e8a-40257ceb7ded?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/rife-elementor-extensions/trunk/includes/elementor/widgets/writing-effect-headline.php#L264"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3109903/#file1"
},
{
"url": "https://wordpress.org/plugins/rife-elementor-extensions/#developers"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-01T19:26:57.000+00:00",
"value": "Disclosed"
}
],
"title": "Rife Elementor Extensions \u0026 Templates \u003c= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Writing Effect Headline Widget"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-5504",
"datePublished": "2024-07-02T07:37:03.053Z",
"dateReserved": "2024-05-29T21:17:02.171Z",
"dateUpdated": "2024-08-01T21:18:05.354Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}