Flipbox Addon for Elementor Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Flipbox Addon for Elementor plugin for WordPress, affecting all versions through 2.1.1. The issue arises in the Flipbox widget's button URL 'custom_attributes' field, where insufficient validation of custom attribute names allows for the injection of arbitrary web scripts. The plugin's use of 'esc_html()' on attribute names fails to block event handler attributes, such as 'onmouseover' and 'onclick'. This vulnerability enables authenticated attackers with author-level access and above to execute injected scripts on pages accessed by users.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Remediation

Users are advised to update the Flipbox Addon for Elementor to version 2.1.2 or a newer patched version.