Essential Addons for Elementor DOM-Based Stored Cross-Site Scripting Vulnerability

A DOM-based stored cross-site scripting vulnerability has been identified in the Essential Addons for Elementor - Popular Elementor Templates & Widgets plugin for WordPress. This vulnerability exists in all versions through 6.2.2 and is due to inadequate input sanitization and output escaping. Authenticated attackers with Contributor-level access or higher can exploit this issue by injecting arbitrary web scripts into pages, which will be executed when a user accesses the affected page.

Impact

Exploitation of this vulnerability allows for DOM-based stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can inject scripts via the 'data-gallery-items' parameter. This can be done by manipulating the gallery items in a way that includes the desired script, which will then be executed when the page is viewed.

Remediation

Users are advised to update the Essential Addons for Elementor - Popular Elementor Templates & Widgets plugin to version 6.2.3 or later.