Pular para o conteúdo
Ver todas as ameaças

CVE-2021-24292

Alvo: Não informado

Descrição

The Happy Addons for Elementor WordPress plugin before 2.24.0, Happy Addons Pro for Elementor WordPress plugin before 1.17.0 have a number of widgets that are vulnerable to stored Cross-Site Scripting(XSS) by lower-privileged users such as contributors, all via a similar method: The “Card” widget accepts a “title_tag” parameter. Although the element control lists a fixed set of possible html tags, it is possible to send a ‘save_builder’ request with the “heading_tag” set to “script”, and the actual “title” parameter set to JavaScript to be executed within the script tags added by the “heading_tag” parameter.

Software
Não informado
Tipo Software
Plugin
CVE
CVE-2021-24292
Tags
Nâo informado
Data de publicação
17/05/2021
Última atualização
24/02/2022
Pontuação em CVSS 3.0
5.4
Médio
plugins premium WordPress