Asaf Mozes

**Name of the Vulnerable Software and Affected Versions** WordPress plugins and themes (affected versions not specified) **Description** Multiple plugins and themes for WordPress are susceptible to Reflected Cross-Site Scripting, a flaw where an application includes untrusted data in a web page without proper validation. This occurs due to insufficient input sanitization and output escaping involving the `url` parameter. Unauthenticated attackers can exploit this to inject arbitrary web scripts into pages, which execute when a user is tricked into clicking a malicious link. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Elementor versions up to and including 3.33.3 **Description** The Elementor plugin for WordPress is susceptible to Stored Cross-Site Scripting through the Text Path widget. This is due to inadequate handling of user-provided data when creating SVG markup within the widget. Authenticated attackers with contributor-level access or higher can inject malicious web scripts into pages. These scripts will then execute when a user visits the compromised page. **Recommendations** Elementor versions prior to and including 3.33.3 should be updated.

**Name of the Vulnerable Software and Affected Versions** MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress versions up to and including 4.0.1 **Description** The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is susceptible to Stored Cross-Site Scripting via the `mf-template` DOM Element. Insufficient input sanitization and output escaping allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. **Recommendations** Update to a version later than 4.0.1.

**Name of the Vulnerable Software and Affected Versions** Elementor Website Builder – More Than Just a Page Builder plugin for WordPress versions prior to 3.30.3 **Description** The Elementor Website Builder plugin for WordPress is susceptible to Stored Cross-Site Scripting via the `data-text` DOM element attribute in the Text Path widget due to insufficient input sanitization and output escaping. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. This issue affects only Chrome and Edge browsers. **Recommendations** Update Elementor Website Builder – More Than Just a Page Builder plugin for WordPress to version 3.30.3 or later.

Name of the Vulnerable Software and Affected Versions: Kadence WP – Page Builder Features plugin versions up to, and including, 3.5.10 Description: The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The `redirectURL` parameter is specifically vulnerable to this type of attack. Recommendations: For versions up to, and including, 3.5.10, update to version 3.5.11 or later to resolve the issue. As a temporary workaround, consider restricting access to the `redirectURL` parameter to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress versions up to, and including, 7.4.0 Description: The issue is related to Stored Cross-Site Scripting via the `data-url` DOM element attribute due to insufficient input sanitization and output escaping. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Recommendations: For versions up to, and including, 7.4.0, update to a version that addresses the insufficient input sanitization and output escaping issue to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the `data-url` attribute in the DOM element to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress versions up to, and including, 3.10.2.1 Description: The issue is related to Stored Cross-Site Scripting via the use of a templating engine due to insufficient output escaping on user data passed through the template. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Recommendations: For versions up to, and including, 3.10.2.1, update to a version that includes the necessary output escaping to prevent the injection of arbitrary web scripts. As a temporary workaround, consider restricting contributor-level access and above to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: The Royal Elementor Addons plugin for WordPress versions up to, and including, 1.7.1024 Description: The issue is related to Stored Cross-Site Scripting via multiple widgets due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Recommendations: For versions up to, and including, 1.7.1024, update to a version higher than 1.7.1024 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable widgets to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: SiteOrigin Widgets Bundle plugin for WordPress versions up to and including 1.68.4 Description: The issue is related to Stored Cross-Site Scripting via the `data-url` DOM Element Attribute. This occurs due to insufficient input sanitization and output escaping, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts in pages. These scripts will execute whenever a user accesses an injected page. Recommendations: For versions up to and including 1.68.4, update to a version higher than 1.68.4 to resolve the issue. As a temporary workaround, consider restricting access to the `data-url` attribute in the DOM Element to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OceanWP theme for WordPress versions up to, and including, 4.0.9 **Description** The issue is related to Stored Cross-Site Scripting via the Select HTML tag due to insufficient input sanitization and output escaping. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For OceanWP theme for WordPress versions up to, and including, 4.0.9, update to a version later than 4.0.9 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ElementsKit Elementor Addons and Templates plugin for WordPress versions up to, and including, 3.5.2 **Description** The issue is related to Stored Cross-Site Scripting via the plugin image comparison widget's before/after labels due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 3.5.2, update to a version that addresses the insufficient input sanitization and output escaping issue to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the image comparison widget for users with contributor-level access and above until a patch is available.

**Name of the Vulnerable Software and Affected Versions** YITH WooCommerce Wishlist plugin for WordPress versions up to, and including, 4.5.0 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The `id` parameter is specifically vulnerable to this type of attack. **Recommendations** For YITH WooCommerce Wishlist plugin for WordPress versions up to, and including, 4.5.0, update to a version higher than 4.5.0 to resolve the issue. As a temporary workaround, consider restricting access to the `id` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Slider, Gallery, and Carousel by MetaSlider plugin for WordPress versions up to, and including, 3.98.0 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping, specifically via the `aria-label` parameter. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages, which will execute when a user accesses an injected page. **Recommendations** For versions up to, and including, 3.98.0, update to a version that addresses the insufficient input sanitization and output escaping issue. As a temporary workaround, consider restricting access to the `aria-label` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Click to Chat plugin for WordPress versions up to, and including, 4.22 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The `data-no number` parameter is specifically vulnerable to this type of attack. **Recommendations** For Click to Chat plugin for WordPress versions up to, and including, 4.22, consider updating to a version that addresses the insufficient input sanitization and output escaping issue. As a temporary workaround, restrict access to the `data-no number` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Events Calendar plugin for WordPress versions up to, and including, 6.13.2 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping via the `data-date-*` parameters. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 6.13.2, update to a version that includes the necessary input sanitization and output escaping fixes to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the `data-date-*` parameters to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Smash Balloon Social Post Feed – Simple Social Feeds for WordPress plugin versions up to, and including, 4.3.1 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping, specifically via the `data-color` attribute. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages, which will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 4.3.1, update to a version that addresses the insufficient input sanitization and output escaping issue to prevent Stored Cross-Site Scripting attacks.

**Name of the Vulnerable Software and Affected Versions** The Premium Addons for Elementor plugin for WordPress versions up to, and including, 4.11.8 **Description** The issue is related to Stored Cross-Site Scripting via the `data-countdown` attribute of the Countdown widget. This is due to insufficient input sanitization and output escaping, allowing authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages. These scripts will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 4.11.8, update to a version that includes the necessary input sanitization and output escaping fixes to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the Countdown widget for users with Contributor-level access and above until a patch is available.

**Name of the Vulnerable Software and Affected Versions** OceanWP Ocean Extra versions 2.4.8 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, allowing Stored XSS. This enables attackers to inject malicious scripts into web pages, potentially leading to unauthorized access or data theft. **Recommendations** For OceanWP Ocean Extra versions 2.4.8 and earlier, update to a version later than 2.4.8 to resolve the issue. At the moment, there is no information about additional mitigation measures for this specific vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress versions up to, and including, 1.44.1 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The `id` and `data-size` parameters are vulnerable to this issue. **Recommendations** For versions up to, and including, 1.44.1, update to a version that addresses the insufficient input sanitization and output escaping issue. As a temporary workaround, consider restricting access to the `id` and `data-size` parameters to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Popup Maker plugin for WordPress versions up to, and including, 1.20.4 **Description** The issue is related to Stored Cross-Site Scripting via the `popupID` parameter due to insufficient input sanitization and output escaping. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 1.20.4, update to a version that addresses the insufficient input sanitization and output escaping issue to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the `popupID` parameter to minimize the risk of exploitation.