Robert Devore

Name of the Vulnerable Software and Affected Versions: The Lightbox & Modal Popup WordPress Plugin – FooBox plugin for WordPress versions up to, and including, 2.7.34 Description: The issue is related to Stored Cross-Site Scripting via image alternative texts due to insufficient input sanitization and output escaping. This allows authenticated attackers with Author-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Recommendations: For versions up to, and including, 2.7.34, update to a version that addresses the insufficient input sanitization and output escaping issue to prevent Stored Cross-Site Scripting attacks.

**Name of the Vulnerable Software and Affected Versions** The Element Pack Addons for Elementor versions up to, and including, 5.11.2 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping, specifically via the `marker content` parameter. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages, which will execute when a user accesses an injected page. **Recommendations** For versions up to, and including, 5.11.2, update to a version that addresses the insufficient input sanitization and output escaping issue, specifically for the `marker content` parameter, to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the `marker content` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Borderless – Elementor Addons and Templates plugin for WordPress versions up to, and including, 1.7.1 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping, allowing authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages via the `title` parameter. This makes it possible for attackers to execute scripts whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 1.7.1, update to a version that addresses the Stored Cross-Site Scripting issue. As a temporary workaround, consider restricting access to the `title` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** LA-Studio Element Kit for Elementor plugin for WordPress versions up to, and including, 1.5.2 **Description** The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on user-supplied attributes in the plugin's Image Compare and Google Maps widgets. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 1.5.2, update to a version that addresses the insufficient input sanitization and output escaping issue to prevent Stored Cross-Site Scripting attacks. As a temporary workaround, consider restricting access to the Image Compare and Google Maps widgets for users with contributor-level access and above until a patch is available.

Name of the Vulnerable Software and Affected Versions: FooBox Image Lightbox versions through 2.7.33 Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting. This allows for potentially malicious scripts to be injected into web pages. Recommendations: For versions through 2.7.33, update to a version later than 2.7.33 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Alimir WP ULike versions n/d through 4.7.9.1 Description: The issue is related to a lack of authorization in Alimir WP ULike. Recommendations: For versions n/d through 4.7.9.1, update to a version later than 4.7.9.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WP ULike versions prior to 4.7.6 **Description** The issue is related to improper neutralization of input during web page generation, also known as 'Cross-site Scripting', which allows stored XSS. This enables attackers to inject malicious scripts into the website. **Recommendations** For versions prior to 4.7.6, update to version 4.7.6 or later to resolve the issue. As a temporary workaround, consider restricting user input to minimize the risk of exploitation. Avoid using potentially vulnerable functions or parameters in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** CoDesigner WooCommerce Builder for Elementor versions 4.7.17.2 and earlier **Description** The issue is related to improper neutralization of input during web page generation, which allows stored Cross-site Scripting (XSS). This means an attacker can inject malicious scripts into the website, potentially leading to unauthorized access or control. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited. **Recommendations** For versions 4.7.17.2 and earlier, update to a version later than 4.7.17.2 to resolve the issue. As a temporary workaround, consider restricting access to sensitive areas of the website to minimize the risk of exploitation. Avoid using potentially vulnerable features in CoDesigner WooCommerce Builder for Elementor until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** WPBITS Addons For Elementor Page Builder versions prior to 1.5.1 **Description** The issue is related to improper neutralization of input during web page generation, also known as 'Cross-site Scripting', which allows stored XSS. This means an attacker can inject malicious scripts into the website, potentially affecting users who visit the compromised page. **Recommendations** For versions prior to 1.5.1, update to version 1.5.1 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive areas of the website that use the WPBITS Addons For Elementor Page Builder plugin until the update is applied.

**Name of the Vulnerable Software and Affected Versions** inc2734 Smart Custom Fields versions prior to 5.0.0 **Description** The issue is related to improper neutralization of input during web page generation, also known as 'Cross-site Scripting', which allows stored XSS. This problem enables attackers to inject malicious scripts into web pages, potentially affecting user sessions. **Recommendations** For versions prior to 5.0.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Piotnet Addons For Elementor versions 2.4.31 and earlier **Description** The issue affects Piotnet Addons For Elementor, allowing Stored XSS due to improper neutralization of input during web page generation. This enables an attacker to inject malicious scripts into the website. **Recommendations** For versions 2.4.31 and earlier, update to a version later than 2.4.31 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress versions up to, and including, 2.0.6.7 **Description** The issue concerns a stored cross-site scripting vulnerability via the plugin's Tooltip module due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 2.0.6.7, update to a version later than 2.0.6.7 to resolve the issue. As a temporary workaround, consider disabling the Tooltip module until a patch is available. Restrict access to the plugin's functionality to minimize the risk of exploitation, especially for users with contributor-level access and above.

**Name of the Vulnerable Software and Affected Versions** WP Royal Royal Elementor Addons versions 1.3.987 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Stored XSS. This means that an attacker can inject malicious scripts into the website, potentially leading to unauthorized access or data theft. **Recommendations** For WP Royal Royal Elementor Addons versions 1.3.987 and earlier, update to a version that contains a fix for this issue, as no specific workaround is provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: The Prime Slider – Addons For Elementor plugin for WordPress versions up to, and including, 3.15.18 Description: The issue is related to Stored Cross-Site Scripting via the plugin's Blog widget due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Recommendations: For versions up to, and including, 3.15.18, update the plugin to the latest patched version to resolve the issue. As a temporary workaround, consider restricting access to the Blog widget until a patch is available. Additionally, ensure that all user-supplied attributes are properly sanitized and escaped to prevent arbitrary web script injection.

Name of the Vulnerable Software and Affected Versions: Firelight Lightbox versions 2.3.3 and earlier Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS). This allows for Stored XSS attacks. Recommendations: For versions 2.3.3 and earlier, update to a version later than 2.3.3 to resolve the issue. As a temporary workaround, consider restricting user input in the Firelight Lightbox plugin to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Robo Gallery versions 3.2.21 and earlier Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS). This allows for Stored XSS attacks. Recommendations: For versions 3.2.21 and earlier, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Exclusive Addons Elementor versions through 2.7.1 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS). This allows for Stored XSS, which can be used to inject malicious scripts into web pages. **Recommendations** For versions through 2.7.1, update to a version later than 2.7.1 to resolve the issue. As a temporary workaround, consider restricting user input to minimize the risk of exploitation. Avoid using potentially vulnerable features in Exclusive Addons Elementor until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Weblizar Lightbox slider – Responsive Lightbox Gallery versions 1.10.0 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS). This allows for Stored XSS attacks. **Recommendations** For Weblizar Lightbox slider – Responsive Lightbox Gallery versions 1.10.0 and earlier, update to a version that fixes this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** dFactory Responsive Lightbox versions through 2.4.8 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS). This allows for Stored XSS, where an attacker can inject malicious scripts into the website. **Recommendations** For versions through 2.4.8, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** G Meta Keywords versions 1.4 and earlier **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting (XSS). This allows for Stored XSS attacks. **Recommendations** For versions 1.4 and earlier, update to a version that fixes the Improper Neutralization of Input During Web Page Generation issue to prevent Stored XSS attacks. As a temporary workaround, consider restricting user input to prevent malicious code injection until a patch is available.