CVE-2021-24292

Name of the Vulnerable Software and Affected Versions Happy Addons for Elementor WordPress plugin versions prior to 2.24.0 Happy Addons Pro for Elementor WordPress plugin versions prior to 1.17.0

Description The issue concerns stored Cross-Site Scripting (XSS) that can be exploited by lower-privileged users, such as contributors. This is possible due to a flaw in the "Card" widget, which accepts a title tag parameter. Although the element control lists a fixed set of possible HTML tags, an attacker can send a 'save builder' request with the heading tag set to "script" and the actual title parameter set to JavaScript. This JavaScript code can then be executed within the script tags added by the heading tag parameter.

Recommendations For Happy Addons for Elementor WordPress plugin versions prior to 2.24.0, update to version 2.24.0 or later to resolve the issue. For Happy Addons Pro for Elementor WordPress plugin versions prior to 1.17.0, update to version 1.17.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "Card" widget for lower-privileged users until the update is applied.