Master Addons Elementor Addons Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Master Addons - Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress. This vulnerability exists in all versions prior to 2.0.8.6 and allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into pages. The injected scripts are executed when a user accesses the affected page. The vulnerability arises from inadequate input sanitization and output escaping, particularly in several widgets that utilize the Fancybox library.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

The vulnerability can be reproduced by an authenticated user with Contributor-level access or higher. After logging in, the user can inject scripts through the caption data of specific widgets, such as the image filter gallery, nav menu, or image carousel widgets. Once the scripts are injected, they will be executed when the page is viewed.

Remediation

Users are advised to update the Master Addons - Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin to version 2.0.9.1 or a newer patched version.