CVE-2024-4156
published 2024-05-02CVE-2024-4156: The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site…
PriorityP424medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.60%
44.3th percentile
The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘eael_event_text_color’ parameter in versions up to, and including, 5.9.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| libsndfile_project | libsndfile | >= 0 < 1.0.28-7ubuntu0.3 | 1.0.28-7ubuntu0.3 |
| libsndfile_project | libsndfile | >= 0 < 1.0.31-2ubuntu0.2 | 1.0.31-2ubuntu0.2 |
| libsndfile_project | libsndfile | >= 0 < 1.0.25-7ubuntu2.2+esm4 | 1.0.25-7ubuntu2.2+esm4 |
| libsndfile_project | libsndfile | >= 0 < 1.0.28-4ubuntu0.18.04.2+esm2 | 1.0.28-4ubuntu0.18.04.2+esm2 |
| wpdeveloper | essential_addons_for_elementor | < 5.9.18 | 5.9.18 |
| wpdevteam | essential_addons_for_elementor_popular_elementor_templates_widgets | <= 5.9.17 | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
osv7.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
libsndfile vulnerabilities
osv·2025-02-18·CVSS 7.1
CVE-2021-4156 libsndfile vulnerabilities
libsndfile vulnerabilities
It was discovered that libsndfile incorrectly handled memory when executing
its FLAC codec. If a user or automated system were tricked into processing
a specially crafted sound file, an attacker could possibly use this issue
to cause a denial of service or obtain sensitive information.
(CVE-2021-4156)
It was discovered that libsndfile incorrectly handled certain malformed
OggVorbis files. An attacker could possibly use this issue to cause
libsndfile to crash, resulting in a denial of service. (CVE-2024-50612)
GHSA
GHSA-h5pg-7xwx-9864: The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross
ghsa_unreviewed·2024-05-02
CVE-2024-4156 [MEDIUM] CWE-79 GHSA-h5pg-7xwx-9864: The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross
The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘eael_event_text_color’ parameter in versions up to, and including, 5.9.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Elements/Event_Calendar.php#L3125https://plugins.trac.wordpress.org/changeset/3079406/https://www.wordfence.com/threat-intel/vulnerabilities/id/23a66e6b-cec0-4110-9bef-a5d41ce1c954?source=cvehttps://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Elements/Event_Calendar.php#L3125https://plugins.trac.wordpress.org/changeset/3079406/https://www.wordfence.com/threat-intel/vulnerabilities/id/23a66e6b-cec0-4110-9bef-a5d41ce1c954?source=cve
2024-05-02
Published