ElementsKit: stored cross-site scripting (XSS) (CVE-2024-10091) #shorts #breaking

CVE

This CVE involves a stored cross-site scripting vulnerability found in the ElementsKit Elementor Addons Plugin for WordPress. It was discovered zero months ago and is considered a zero-day attack, as it exploits a flaw in the plugin's Image Comparison Widget. This security flaw arises from the plugin's failure to adequately sanitize and escape user inputs. Consequently, attackers who have at least contributor-level access can inject harmful scripts into web pages. When an unsuspecting user visits these compromised pages, the injected scripts run automatically in their browser. This vulnerability affects all versions of ElementsKit up to and including 3.2.9, creating potential security risks for both users and developers relying on this plugin.

Watch the full video on YouTube: CVE-2024-10091

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

CVE database technical details

CVE ID

CVE-2024-10091

Description

The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Comparison Widget in all versions up to, and including, 3.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Provider

Wordfence

CWE / problem types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected Software Versions

xpeedstudio:ElementsKit Elementor addons:[{'version': '*', 'status': 'affected', 'lessThanOrEqual': '3.2.9', 'versionType': 'semver'}]

Date Published

2024-10-26T02:31:30.951Z

Last Updated

2024-10-28T19:13:45.268Z