7 matches found
CVE-2024-10325
CVE-2024-10325 affects Elementor Header & Footer Builder (Ultimate Addons for Elementor) for WordPress. Desktop/REST SVG File Uploads allow Stored XSS due to insufficient input sanitization and output escaping in SVG handling. Affected versions: up to 1.6.45. Exploitation requires authentication ...
CVE-2024-11230
CVE-2024-11230 affects Ultimate Addons for Elementor (formerly Elementor Header & Footer Builder): Stored XSS via the Page Title Widget in Elementor Header & Footer Builder versions up to 1.6.46. Exploitation requires authenticated access (Contributor+). Patch is applied; update to the fixed rele...
CVE-2024-10050
CVE-2024-10050 affects Elementor Header & Footer Builder for WordPress up to version 1.6.43, enabling information disclosure via the hfe_template shortcode. Authenticated users with Contributor+ can view Draft, Private, and password‑protected posts they do not own. The vulnerability is documented...
CVE-2024-4634
CVE-2024-4634 (Elementor Header & Footer Builder, WordPress) stores cross-site scripting via the hfe_svg_mime_types path in versions up to 1.6.28 due to insufficient input sanitization and output escaping. The issue requires authentication (contributors or higher) to inject arbitrary scripts that...
CVE-2024-2618
CVE-2024-2618 refers to the Elementor Header & Footer Builder plugin for WordPress. The Red Hat and WordPress‑centered sources confirm a Stored Cross‑Site Scripting vulnerability via the size attribute in all versions up to and including 1.6.26, caused by insufficient input sanitization and outpu...
CVE-2024-2619
CVE-2024-2619 : Elementor Header & Footer Builder for WordPress is vulnerable to HTML injection due to insufficient input sanitization and output escaping. Affected versions are up to and including 1.6.26. Exploitation requires authentication with author-level permissions or higher, enabling an a...
CVE-2024-1237
The CVE-2024-1237 vulnerability affects the Elementor Header & Footer Builder plugin for WordPress and is a Stored Cross-Site Scripting flaw via the flyout_layout attribute in versions up to 1.6.24, caused by insufficient input sanitization and output escaping. Exploitation could allow an authent...