CVE-2024-12120

Name of the Vulnerable Software and Affected Versions Royal Elementor Addons and Templates versions up to 1.7.1017

Description The issue is related to Stored Cross-Site Scripting in the Royal Elementor Addons and Templates plugin for WordPress. This occurs due to insufficient input sanitization and output escaping in the Countdown widget's display message text parameter. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages, which will execute when a user accesses an injected page.

Recommendations For versions up to 1.7.1017, consider disabling the Countdown widget until a patch is available to prevent exploitation. Restrict access to the Countdown widget's display message text parameter to minimize the risk of arbitrary web script injection. As a temporary workaround, avoid using the display message text parameter in the Countdown widget until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.