Search criteria
6 vulnerabilities by FlickDevs
CVE-2024-10631 (GCVE-0-2024-10631)
Vulnerability from cvelistv5 – Published: 2025-05-15 20:06 – Updated: 2025-05-20 15:17
VLAI?
Title
Countdown Timer <= 1.0.5 - Contributor+ Stored XSS
Summary
The Countdown Timer for WordPress Block Editor WordPress plugin through 1.0.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
Severity ?
6.5 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Countdown Timer for WordPress Block Editor |
Affected:
0 , ≤ 1.0.5
(semver)
|
Credits
Sakotas
WPScan
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-10631",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-20T15:09:32.876502Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-20T15:17:04.021Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://wpscan.com/vulnerability/b153fb5e-7df2-491b-b61b-6f90314c7b04/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Countdown Timer for WordPress Block Editor",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "1.0.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sakotas"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Countdown Timer for WordPress Block Editor WordPress plugin through 1.0.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T20:06:44.791Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/b153fb5e-7df2-491b-b61b-6f90314c7b04/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Countdown Timer \u003c= 1.0.5 - Contributor+ Stored XSS",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-10631",
"datePublished": "2025-05-15T20:06:44.791Z",
"dateReserved": "2024-10-31T17:15:43.141Z",
"dateUpdated": "2025-05-20T15:17:04.021Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13113 (GCVE-0-2024-13113)
Vulnerability from cvelistv5 – Published: 2025-02-26 06:00 – Updated: 2025-02-26 16:00
VLAI?
Title
Countdown Timer for Elementor < 1.3.7 - Contributor+ Stored XSS
Summary
The Countdown Timer for Elementor WordPress plugin before 1.3.7 does not sanitise and escape some parameters when outputting them on the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.
Severity ?
5.9 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Countdown Timer for Elementor |
Affected:
0 , < 1.3.7
(semver)
|
Credits
Bob Matyas
WPScan
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-13113",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-26T15:57:17.041660Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-26T16:00:57.896Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Countdown Timer for Elementor",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.3.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bob Matyas"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Countdown Timer for Elementor WordPress plugin before 1.3.7 does not sanitise and escape some parameters when outputting them on the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-26T06:00:07.971Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/ffc31d9d-d245-4c4b-992d-394a01798117/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Countdown Timer for Elementor \u003c 1.3.7 - Contributor+ Stored XSS",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-13113",
"datePublished": "2025-02-26T06:00:07.971Z",
"dateReserved": "2025-01-01T14:33:17.231Z",
"dateUpdated": "2025-02-26T16:00:57.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22812 (GCVE-0-2025-22812)
Vulnerability from cvelistv5 – Published: 2025-01-09 15:39 – Updated: 2025-01-10 20:44
VLAI?
Title
WordPress News Ticker Widget for Elementor plugin <= 1.3.2 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FlickDevs News Ticker Widget for Elementor allows Stored XSS.This issue affects News Ticker Widget for Elementor: from n/a through 1.3.2.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| FlickDevs | News Ticker Widget for Elementor |
Affected:
n/a , ≤ 1.3.2
(custom)
|
Credits
João Pedro S Alcântara (Kinorth) (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22812",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T20:18:58.069532Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T20:44:09.535Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "news-ticker-widget-for-elementor",
"product": "News Ticker Widget for Elementor",
"vendor": "FlickDevs",
"versions": [
{
"changes": [
{
"at": "1.3.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.3.2",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in FlickDevs News Ticker Widget for Elementor allows Stored XSS.\u003c/p\u003e\u003cp\u003eThis issue affects News Ticker Widget for Elementor: from n/a through 1.3.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in FlickDevs News Ticker Widget for Elementor allows Stored XSS.This issue affects News Ticker Widget for Elementor: from n/a through 1.3.2."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T15:39:04.757Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/news-ticker-widget-for-elementor/vulnerability/wordpress-news-ticker-widget-for-elementor-plugin-1-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress News Ticker Widget for Elementor wordpress plugin to the latest available version (at least 1.3.3)."
}
],
"value": "Update the WordPress News Ticker Widget for Elementor wordpress plugin to the latest available version (at least 1.3.3)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress News Ticker Widget for Elementor plugin \u003c= 1.3.2 - Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-22812",
"datePublished": "2025-01-09T15:39:04.757Z",
"dateReserved": "2025-01-07T21:05:44.628Z",
"dateUpdated": "2025-01-10T20:44:09.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53743 (GCVE-0-2024-53743)
Vulnerability from cvelistv5 – Published: 2024-12-01 21:29 – Updated: 2024-12-01 23:07
VLAI?
Title
WordPress Countdown Timer for Elementor plugin <= 1.3.6 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FlickDevs Countdown Timer for Elementor allows Stored XSS.This issue affects Countdown Timer for Elementor: from n/a through 1.3.6.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| FlickDevs | Countdown Timer for Elementor |
Affected:
n/a , ≤ 1.3.6
(custom)
|
Credits
João Pedro Soares de Alcântara - Kinorth (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-53743",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-01T22:59:46.510354Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-01T23:07:52.648Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "countdown-timer-for-elementor",
"product": "Countdown Timer for Elementor",
"vendor": "FlickDevs",
"versions": [
{
"lessThanOrEqual": "1.3.6",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jo\u00e3o Pedro Soares de Alc\u00e2ntara - Kinorth (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in FlickDevs Countdown Timer for Elementor allows Stored XSS.\u003cp\u003eThis issue affects Countdown Timer for Elementor: from n/a through 1.3.6.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in FlickDevs Countdown Timer for Elementor allows Stored XSS.This issue affects Countdown Timer for Elementor: from n/a through 1.3.6."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-01T21:29:44.054Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/countdown-timer-for-elementor/vulnerability/wordpress-countdown-timer-for-elementor-plugin-1-3-6-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Countdown Timer for Elementor plugin \u003c= 1.3.6 - Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-53743",
"datePublished": "2024-12-01T21:29:44.054Z",
"dateReserved": "2024-11-22T13:51:57.971Z",
"dateUpdated": "2024-12-01T23:07:52.648Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53746 (GCVE-0-2024-53746)
Vulnerability from cvelistv5 – Published: 2024-12-01 21:24 – Updated: 2024-12-01 23:07
VLAI?
Title
WordPress Elementor Button Plus plugin <= 1.3.3 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FlickDevs Elementor Button Plus allows Stored XSS.This issue affects Elementor Button Plus: from n/a through 1.3.3.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| FlickDevs | Elementor Button Plus |
Affected:
n/a , ≤ 1.3.3
(custom)
|
Credits
João Pedro Soares de Alcântara - Kinorth (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-53746",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-01T22:59:27.279842Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-01T23:07:52.278Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "fd-elementor-button-plus",
"product": "Elementor Button Plus",
"vendor": "FlickDevs",
"versions": [
{
"lessThanOrEqual": "1.3.3",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jo\u00e3o Pedro Soares de Alc\u00e2ntara - Kinorth (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in FlickDevs Elementor Button Plus allows Stored XSS.\u003cp\u003eThis issue affects Elementor Button Plus: from n/a through 1.3.3.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in FlickDevs Elementor Button Plus allows Stored XSS.This issue affects Elementor Button Plus: from n/a through 1.3.3."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-01T21:24:44.046Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/fd-elementor-button-plus/vulnerability/wordpress-elementor-button-plus-plugin-1-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Elementor Button Plus plugin \u003c= 1.3.3 - Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-53746",
"datePublished": "2024-12-01T21:24:44.046Z",
"dateReserved": "2024-11-22T13:51:57.972Z",
"dateUpdated": "2024-12-01T23:07:52.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3074 (GCVE-0-2024-3074)
Vulnerability from cvelistv5 – Published: 2024-05-02 16:51 – Updated: 2024-08-01 19:32
VLAI?
Summary
The Elementor ImageBox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image box widget in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| flickdevs | Elementor ImageBox |
Affected:
* , ≤ 1.2.8
(semver)
|
Credits
Etan Imanol Castro Aldrete
Eduardo Berlanga
Joaquin Alvarez
Abraham de León (h4m1)
José Vazquez (AKA Retr0_1000101)
Samuel Gonzalez (Winsad)
j0r38
Manuel Manjarrez
Alex Delgado
Emiliano Perez
M41w4r3
Xeniel
Cr4zyD14m0nd
l1ttl3Bugc4t
Dr4c0t4
Bryan Velez
mrgh057
D4ZC
Deibyd
MindFall
PumaHat
Tr3ckR
xm4nd0
pCix
0xjar8
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3074",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-16T17:42:45.732931Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:32:44.612Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:32:42.689Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e24c8f4-32c9-4c21-88d9-588913cbb474?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/fd-elementor-imagebox/trunk/elements/fd-adv-imagebox.php#L534"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Elementor ImageBox",
"vendor": "flickdevs",
"versions": [
{
"lessThanOrEqual": "1.2.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Etan Imanol Castro Aldrete"
},
{
"lang": "en",
"type": "finder",
"value": "Eduardo Berlanga"
},
{
"lang": "en",
"type": "finder",
"value": "Joaquin Alvarez"
},
{
"lang": "en",
"type": "finder",
"value": "Abraham de Le\u00f3n (h4m1)"
},
{
"lang": "en",
"type": "finder",
"value": "Jos\u00e9 Vazquez (AKA Retr0_1000101)"
},
{
"lang": "en",
"type": "finder",
"value": "Samuel Gonzalez (Winsad)"
},
{
"lang": "en",
"type": "finder",
"value": "j0r38"
},
{
"lang": "en",
"type": "finder",
"value": "Manuel Manjarrez"
},
{
"lang": "en",
"type": "finder",
"value": "Alex Delgado"
},
{
"lang": "en",
"type": "finder",
"value": "Emiliano Perez"
},
{
"lang": "en",
"type": "finder",
"value": "M41w4r3"
},
{
"lang": "en",
"type": "finder",
"value": "Xeniel"
},
{
"lang": "en",
"type": "finder",
"value": "Cr4zyD14m0nd"
},
{
"lang": "en",
"type": "finder",
"value": "l1ttl3Bugc4t"
},
{
"lang": "en",
"type": "finder",
"value": "Dr4c0t4"
},
{
"lang": "en",
"type": "finder",
"value": "Bryan Velez"
},
{
"lang": "en",
"type": "finder",
"value": "mrgh057"
},
{
"lang": "en",
"type": "finder",
"value": "D4ZC"
},
{
"lang": "en",
"type": "finder",
"value": "Deibyd"
},
{
"lang": "en",
"type": "finder",
"value": "MindFall"
},
{
"lang": "en",
"type": "finder",
"value": "PumaHat"
},
{
"lang": "en",
"type": "finder",
"value": "Tr3ckR"
},
{
"lang": "en",
"type": "finder",
"value": "xm4nd0"
},
{
"lang": "en",
"type": "finder",
"value": "pCix"
},
{
"lang": "en",
"type": "finder",
"value": "0xjar8"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Elementor ImageBox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image box widget in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-02T16:51:44.497Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e24c8f4-32c9-4c21-88d9-588913cbb474?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/fd-elementor-imagebox/trunk/elements/fd-adv-imagebox.php#L534"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-29T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-3074",
"datePublished": "2024-05-02T16:51:44.497Z",
"dateReserved": "2024-03-28T22:39:44.111Z",
"dateUpdated": "2024-08-01T19:32:42.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}