CVE-2022-4710

Name of the Vulnerable Software and Affected Versions The Royal Elementor Addons plugin for WordPress versions up to, and including, 1.3.59

Description The issue arises from insufficient input sanitization and output escaping of the wpr ajax search link target parameter in the data fetch function, allowing unauthenticated attackers to inject arbitrary web scripts in pages. This occurs because sanitize text field is insufficient to prevent attribute-based Cross-Site Scripting, making it possible for attackers to execute scripts if they can trick a user into performing an action like clicking on a link.

Recommendations For versions up to, and including, 1.3.59, consider disabling the data fetch function or restricting the use of the wpr ajax search link target parameter until a patch is available. Additionally, ensure proper input sanitization and output escaping to prevent Cross-Site Scripting attacks.