| CVE | CVE-2021-24292 |
|---|---|
| CVSS | Medium (6.4) |
| Publicly Published | April 26, 2021 |
| Last Updated | January 22, 2024 |
| Researcher |
Ram
|
The Happy Addons for Elementor WordPress plugin before 2.24.0, Happy Addons Pro for Elementor WordPress plugin before 1.17.0 have a number of widgets that are vulnerable to stored Cross-Site Scripting(XSS) by lower-privileged users such as contributors, all via a similar method: The “Card” widget accepts a “title_tag” parameter. Although the element control lists a fixed set of possible html tags, it is possible to send a ‘save_builder’ request with the “heading_tag” set to “script”, and the actual “title” parameter set to JavaScript to be executed within the script tags added by the “heading_tag” parameter.
References| Software Type | Plugin |
|---|---|
| Software Slug | happy-elementor-addons-pro (view on wordpress.org) |
| Patched? | Yes |
| Affected Version |
|
| Patched Version |
|
| Software Type | Plugin |
| Software Slug | happy-elementor-addons (view on wordpress.org) |
| Patched? | Yes |
| Affected Version |
|
| Patched Version |
|
Copyright 2012-2026 Defiant Inc.
License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy.
License Detail.