Livemesh Addons for Elementor < 6.8 - Contributor+ Stored XSS

The “Livemesh Addons for Elementor” WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. The “Heading” widget accepts a “title_tag” parameter. Although the element control lists a fixed set of possible html tags, it is possible to send a ‘save_builder’ request with the “title_tag” set to malicious JavaScript, or alternatively just set it to “script” and supply the actual JavaScript code to be executed in the “heading” parameter. This JavaScript will then be executed when the saved page is viewed or previewed. Likewise, the “Pricing Table” widget can be exploited via the “plan_name_tag” parameter, which can be used for JavaScript on its own, and “plan_price_tag” in this widget is likely also vulnerable. The “Testimonials Slider” widget “title_tag” parameter can also be used for JavaScript on its own or set to “script” to use in combination with javascript inside “client_name”. The following widgets are likely also vulnerable to similar exploits: Posts Carousel: “title_tag” can likely be used for JavaScript on its own, has specific requirements (posts need to have thumbnails, post title needs to be displayed on thumbnails, etc.) “entry_title_tag” is likely also vulnerable. Portfolio: “heading_tag”,“title_tag”,“entry_title_tag” parameters all appear to be vulnerable Posts Gridbox Slider: “entry_title_tag” parameter Posts Multislider:“entry_title_tag” parameter Posts Slider: “entry_title_tag” parameter Services: “title_tag” parameter Team Members: “title_tag” parameter Testimonials: “title_tag” parameter These vulnerabilities are nearly identical to the vulnerabilities we have recently disclosed in the main Elementor plugin: https://www.wordfence.com/blog/2021/03/cross-site-scripting-vulnerabilities-in-elementor-impact-over-7-million-sites/