cbcvebase.
CVE-2024-4156
published 2024-05-02

CVE-2024-4156: The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site…

PriorityP424medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.60%
44.3th percentile
The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘eael_event_text_color’ parameter in versions up to, and including, 5.9.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affected

6 ranges
VendorProductVersion rangeFixed in
libsndfile_projectlibsndfile>= 0 < 1.0.28-7ubuntu0.31.0.28-7ubuntu0.3
libsndfile_projectlibsndfile>= 0 < 1.0.31-2ubuntu0.21.0.31-2ubuntu0.2
libsndfile_projectlibsndfile>= 0 < 1.0.25-7ubuntu2.2+esm41.0.25-7ubuntu2.2+esm4
libsndfile_projectlibsndfile>= 0 < 1.0.28-4ubuntu0.18.04.2+esm21.0.28-4ubuntu0.18.04.2+esm2
wpdeveloperessential_addons_for_elementor< 5.9.185.9.18
wpdevteamessential_addons_for_elementor_popular_elementor_templates_widgets<= 5.9.17

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
osv7.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.