What is the vulnerability ID for this issue?

The vulnerability ID for this issue is CVE-2021-24292.

What is the severity level of CVE-2021-24292?

The severity level of CVE-2021-24292 is medium.

How does the Happy Addons for Elementor plugin before 2.24.0 and Happy Addons Pro for Elementor plugin before 1.17.0 store Cross-Site Scripting(XSS) vulnerabilities?

The widgets in these plugins, specifically the 'Card' widget, allow lower-privileged users to inject malicious scripts, leading to stored Cross-Site Scripting(XSS) vulnerabilities.

Which users are affected by the Cross-Site Scripting(XSS) vulnerabilities in Happy Addons for Elementor plugin before 2.24.0 and Happy Addons Pro for Elementor plugin before 1.17.0?

Lower-privileged users, such as contributors, are affected by the Cross-Site Scripting(XSS) vulnerabilities in these plugins.

How can I fix the Cross-Site Scripting(XSS) vulnerabilities in Happy Addons for Elementor plugin before 2.24.0 and Happy Addons Pro for Elementor plugin before 1.17.0?

It is recommended to update the plugins to the latest versions (2.24.0 for Happy Addons for Elementor and 1.17.0 for Happy Addons Pro for Elementor) to fix the Cross-Site Scripting(XSS) vulnerabilities.

Vulnerability/
CVE-2021-24292

medium

5.4

CWE

17/5/2021

3/8/2024

CVE-2021-24292: Happy Addons for Elementor Free < 2.24.0 and Pro < 1.17.0 - Contributor+ Stored XSS

First published: Mon May 17 2021(Updated: )

The Happy Addons for Elementor WordPress plugin before 2.24.0, Happy Addons Pro for Elementor WordPress plugin before 1.17.0 have a number of widgets that are vulnerable to stored Cross-Site Scripting(XSS) by lower-privileged users such as contributors, all via a similar method: The “Card” widget accepts a “title_tag” parameter. Although the element control lists a fixed set of possible html tags, it is possible to send a ‘save_builder’ request with the “heading_tag” set to “script”, and the actual “title” parameter set to JavaScript to be executed within the script tags added by the “heading_tag” parameter.

Credit: contact@wpscan.com

Affected Software	Affected Version	How to fix
Wedevs Happy Addons For Elementor	<1.17.0
Wedevs Happy Addons For Elementor	<2.24.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2021-24292.
What is the severity level of CVE-2021-24292?
The severity level of CVE-2021-24292 is medium.
How does the Happy Addons for Elementor plugin before 2.24.0 and Happy Addons Pro for Elementor plugin before 1.17.0 store Cross-Site Scripting(XSS) vulnerabilities?
The widgets in these plugins, specifically the 'Card' widget, allow lower-privileged users to inject malicious scripts, leading to stored Cross-Site Scripting(XSS) vulnerabilities.
Which users are affected by the Cross-Site Scripting(XSS) vulnerabilities in Happy Addons for Elementor plugin before 2.24.0 and Happy Addons Pro for Elementor plugin before 1.17.0?
Lower-privileged users, such as contributors, are affected by the Cross-Site Scripting(XSS) vulnerabilities in these plugins.
How can I fix the Cross-Site Scripting(XSS) vulnerabilities in Happy Addons for Elementor plugin before 2.24.0 and Happy Addons Pro for Elementor plugin before 1.17.0?
It is recommended to update the plugins to the latest versions (2.24.0 for Happy Addons for Elementor and 1.17.0 for Happy Addons Pro for Elementor) to fix the Cross-Site Scripting(XSS) vulnerabilities.

collector/nvd-index
agent/references
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/author
agent/title
agent/weakness
agent/last-modified-date
agent/severity
agent/tags
agent/event
agent/first-publish-date
agent/description
vendor/wedevs
canonical/wedevs happy addons for elementor

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.