CVE-2024-4360

moderate-risk

Published 2024-08-12

The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 5.7.6 due to insufficient input sanitization and output escaping on user supplied attributes like 'title_tag'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Do I need to act?

0.27% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.4/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Element Pack

Affected Vendors

Bdthemes

References (5)

Patch https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/trunk/modu...

https://plugins.trac.wordpress.org/changeset/3140736/bdthemes-element-pack-lite/...

https://plugins.trac.wordpress.org/changeset/3145280/bdthemes-element-pack-lite/...

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old...

Third Party Advisory https://www.wordfence.com/threat-intel/vulnerabilities/id/910c0a32-b169-4728-888...

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal