Essential Addons for Elementor < 4.5.4 - Contributor+ Stored Cross-Site Scripting (XSS)

The Essential Addons for Elementor Lite WordPress Plugin before 4.5.4 has two widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, both via a similar method. The “Progress Bar” widget accepts a “progress_bar_title_html_tag” parameter. Although the element control lists a fixed set of possible html tags, it is possible to send a ‘save_builder’ request containing JavaScript in the “progress_bar_title_html_tag” parameter, which is not filtered and is output without escaping. This JavaScript will then be executed when the saved page is viewed or previewed. The “Woo Product Compare” widget accepts a “table_title_tag” parameter. Although the element control lists a fixed set of possible html tags, it is possible to send a ‘save_builder’ request containing JavaScript in the “table_title_tag” parameter, which is not filtered and is output without escaping. This JavaScript will then be executed when the saved page is viewed or previewed. Additionally, the following widgets also allow JavaScript to be inserted via the following parameters: advanced accordion:eael_adv_accordion_title_tag Creative button:creative_button_text Dual Color Header: title_tag, eael_dch_subtext Fancy text: eael_fancy_text_color_selector Filterable Gallery: eael_fg_all_label_text, title_tag Flipbox: eael_flipbox_front_title_tag These vulnerabilities are nearly identical to the vulnerabilities we have recently disclosed in the main Elementor plugin: https://www.wordfence.com/blog/2021/03/cross-site-scripting-vulnerabilities-in-elementor-impact-over-7-million-sites/