CVE-2024-3161
published 2024-05-02CVE-2024-3161: The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the countdown widget's attributes in all versions up to, and…
PriorityP423medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.43%
34.6th percentile
The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the countdown widget's attributes in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | sigstore_sigstore-go | >= 0 < 0.6.1 | 0.6.1 |
| jegtheme | jeg_elementor_kit | < 2.6.5 | 2.6.5 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
sigstore-go has an unbounded loop over untrusted input can lead to endless data attack
ghsa·2024-09-04
CVE-2024-45395 [LOW] CWE-835 sigstore-go has an unbounded loop over untrusted input can lead to endless data attack
sigstore-go has an unbounded loop over untrusted input can lead to endless data attack
### Impact
sigstore-go is susceptible to a denial of service attack when a verifier is provided a maliciously crafted Sigstore Bundle containing large amounts of verifiable data, in the form of signed transparency log entries, RFC 3161 timestamps, and attestation subjects. The verification of these data structures is computationally expensive. This can be used to consume excessive CPU resources, leading to a denial of service attack. TUF's security model labels this type of vulnerability an "Endless data attack," and can lead to verification failing to complete and disrupting services that rely on sigstore-go for verification.
The vulnerable loops are in the verification functions in the package `gith
GHSA
GHSA-945r-qfv2-22cj: The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the countdown widget's attributes in all versions up to, a
ghsa_unreviewed·2024-05-02
CVE-2024-3161 [MEDIUM] CWE-79 GHSA-945r-qfv2-22cj: The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the countdown widget's attributes in all versions up to, a
The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the countdown widget's attributes in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/jeg-elementor-kit/trunk/assets/js/elements/countdown.js#L93https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3077328%40jeg-elementor-kit%2Ftrunk&old=3062484%40jeg-elementor-kit%2Ftrunk&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/48a13fb7-bf1a-4bf2-ac3b-3b5a75fec616?source=cvehttps://plugins.trac.wordpress.org/browser/jeg-elementor-kit/trunk/assets/js/elements/countdown.js#L93https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3077328%40jeg-elementor-kit%2Ftrunk&old=3062484%40jeg-elementor-kit%2Ftrunk&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/48a13fb7-bf1a-4bf2-ac3b-3b5a75fec616?source=cve
2024-05-02
Published