Exclusive Addons for Elementor <= 2.6.8 – Stored Cross-Site Scripting
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Link To’ url in carousels in all versions up to, and including, 2.6.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Reference: WordFence Intelligence
Notice: EntreBase Trust & Safety; Threat Advisory information is monitored daily and continuously updated, maintained, and populated by industry-leading Vulnerability and Threat Intelligence sources containing over 12,000 records for vulnerabilities in Email Security, Website Security, WordPress plugins, themes, and core. The database is actively maintained by a team of highly credentialed and industry-leading vulnerability researchers and analysts with dozens of vulnerabilities added per week.
Did you find this article helpful? Please share below and let us know via LinkedIn or Twitter as we would love to hear from you.