Master Addons for Elementor Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Master Addons - Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress. This vulnerability affects all versions through 2.0.7.1 and allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the 'id' parameter. The injected scripts are executed when a user accesses the affected page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can inject scripts by manipulating the 'id' parameter. This can be done through the WordPress admin interface, where the user can access the settings or features that utilize the vulnerable plugin. Once the script is injected, it will be executed when the page is viewed by any user.

Remediation

Users are advised to update the Master Addons for Elementor plugin to version 2.0.7.2 or later, where this vulnerability has been patched.