Vulnerability DatabaseCVE-2024-7611

CVE-2024-7611:
WordPress vulnerability analysis and mitigation

Overview

The Enter Addons – Ultimate Template Builder for Elementor plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2024-7611) affecting versions up to and including 2.1.8. The vulnerability exists in the 'tag' attribute of the Events Card widget due to insufficient input sanitization and output escaping on user-supplied attributes (NVD).

Technical details

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 5.4 (Medium) according to NVD, and 6.4 (Medium) according to Wordfence. The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring low privileges (PR:L), and user interaction (UI:R). The scope is changed (S:C) with low confidentiality and integrity impacts (C:L, I:L) and no availability impact (A:N) (NVD).

Impact

When exploited, this vulnerability allows authenticated attackers with contributor-level access or above to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page (NVD).

Mitigation and workarounds

Users should update their Enter Addons – Ultimate Template Builder for Elementor plugin to a version newer than 2.1.8 to address this vulnerability (NVD).