WordPress The Plus Addons for Elementor plugin <= 5.5.4 - Authenticated (Contibutor+) Stored Cross-Site Scripting via Hover Card vulnerability

Authenticated Contibutor+ Stored Cross-Site Scripting via Hover Card vulnerability discovered by Colin Xu in WordPress Plugin The Plus Addons for Elementor Page Builder Lite versions = 5.5.4...

CVE-2024-2784

The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Hover Card widget in all versions up to, and including, 5.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

@oku-ui/alert-dialog (>=0.0.1 <=0.6.1), @oku-ui/dialog (>=0.4.0 <=0.6.1) +6 more potentially affected by unknown CVE via @oku-ui/portal (=0.6.1)

@oku-ui/portal NPM version =0.6.1 is affected by a known vulnerability. The following packages have a transitive dependency on @oku-ui/portal and may be impacted: - @oku-ui/alert-dialog =0.0.1, =0.4.0, =0.4.0, =0.6.0, =0.4.0, =0.4.0, =0.4.0-alpha.6, =0.4.0, =0.6.1 Source cves: unknown CVE Source...

@oku-ui/primitives (>=0.4.0 <=0.6.1) potentially affected by unknown CVE via @oku-ui/hover-card (=0.6.1)

@oku-ui/hover-card NPM version =0.6.1 is affected by a known vulnerability. The following packages have a transitive dependency on @oku-ui/hover-card and may be impacted: - @oku-ui/primitives =0.4.0, =0.6.1 Source cves: unknown CVE Source advisory: OSV:MAL-2025-191259...

Malicious code in @oku-ui/hover-card (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 49011592cdb157147144c2972c03c4ec153b1d0076d2aa6d45dce878247a77fc The package @oku-ui/hover-card was found to contain malicious code. Source: google-open-source-security...

@oku-ui/hover-card (>=0.4.0 <=0.6.1), @oku-ui/primitives (>=0.4.0 <=0.6.1) +2 more potentially affected by unknown CVE via @oku-ui/visually-hidden (=0.6.1)

@oku-ui/visually-hidden NPM version =0.6.1 is affected by a known vulnerability. The following packages have a transitive dependency on @oku-ui/visually-hidden and may be impacted: - @oku-ui/hover-card =0.4.0, =0.4.0, =0.4.0, =0.4.0, =0.6.1 Source cves: unknown CVE Source advisory:...

EUVD-2025-199480

Malicious code in @oku-ui/hover-card npm...

@oku-ui/alert-dialog (>=0.0.1 <=0.6.1), @oku-ui/dialog (>=0.4.0 <=0.6.1) +6 more potentially affected by unknown CVE via @oku-ui/dismissable-layer (=0.6.1)

@oku-ui/dismissable-layer NPM version =0.6.1 is affected by a known vulnerability. The following packages have a transitive dependency on @oku-ui/dismissable-layer and may be impacted: - @oku-ui/alert-dialog =0.0.1, =0.4.0, =0.4.0, =0.6.0, =0.4.0, =0.4.0, =0.4.0, =0.4.0, =0.6.1 Source cves: unkno...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

CVE-2024-2784

The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Hover Card widget in all versions up to, and including, 5.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

CVE-2024-2784 The Plus Addons for Elementor <= 5.5.4 - Authenticated (Contibutor+) Stored Cross-Site Scripting via Hover Card

The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Hover Card widget in all versions up to, and including, 5.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

PT-2024-22074 · WordPress · The Plus Addons For Elementor

Name of the Vulnerable Software and Affected Versions: The Plus Addons for Elementor plugin for WordPress versions up to, and including, 5.5.4 Description: The issue is related to Stored Cross-Site Scripting via the Hover Card widget due to insufficient input sanitization and output escaping on...