CVE-2024-3190

Name of the Vulnerable Software and Affected Versions The Unlimited Elements For Elementor plugin for WordPress versions up to, and including, 1.5.107

Description The issue is a Stored Cross-Site Scripting vulnerability due to insufficient input sanitization and output escaping on user-supplied attributes in the plugin's text field widget. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The problem stems from an external template.

Recommendations For versions up to, and including, 1.5.107, update to version 1.5.108 or later to resolve the issue. As a temporary workaround, consider restricting access to the text field widget for users with contributor-level access and above until the update is applied. Additionally, restrict the use of user-supplied attributes in the plugin's text field widget to minimize the risk of exploitation.