www.wordfence.com
Open in
urlscan Pro
13.224.189.63
Public Scan
Submitted URL: https://www.wordfence.com/threat-intel/vulnerabilities/id/ba9d12c5-fe3a-4958-8d35-c63bb05b6d5a?source=cve
Effective URL: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/elementinvader-addons-for-elementor/elementinvade...
Submission: On October 23 via api from RU — Scanned from DE
Effective URL: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/elementinvader-addons-for-elementor/elementinvade...
Submission: On October 23 via api from RU — Scanned from DE
Form analysis 1 forms found in the DOM
POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/4354010/7e580360-6f66-4d96-a898-0bd11eec900a
<form id="hsForm_7e580360-6f66-4d96-a898-0bd11eec900a" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/4354010/7e580360-6f66-4d96-a898-0bd11eec900a"
class="hs-form-private hsForm_7e580360-6f66-4d96-a898-0bd11eec900a hs-form-7e580360-6f66-4d96-a898-0bd11eec900a hs-form-7e580360-6f66-4d96-a898-0bd11eec900a_48bacda0-6470-47dd-b836-33123bbfa987 dark hs-form"
target="target_iframe_7e580360-6f66-4d96-a898-0bd11eec900a" data-instance-id="48bacda0-6470-47dd-b836-33123bbfa987" data-form-id="7e580360-6f66-4d96-a898-0bd11eec900a" data-portal-id="4354010"
data-test-id="hsForm_7e580360-6f66-4d96-a898-0bd11eec900a">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-7e580360-6f66-4d96-a898-0bd11eec900a" class="" placeholder="Enter your Email" for="email-7e580360-6f66-4d96-a898-0bd11eec900a"><span>Email</span><span
class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-7e580360-6f66-4d96-a898-0bd11eec900a" name="email" required="" placeholder="you@example.com" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs_tou_pp_agreement hs-tou_pp_agreement hs-fieldtype-booleancheckbox field hs-form-field">
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input">
<ul class="inputs-list" required="">
<li class="hs-form-booleancheckbox"><label for="tou_pp_agreement-7e580360-6f66-4d96-a898-0bd11eec900a" class="hs-form-booleancheckbox-display"><input id="tou_pp_agreement-7e580360-6f66-4d96-a898-0bd11eec900a" class="hs-input" type="checkbox"
name="tou_pp_agreement" value="true"><span>By checking this box I agree to the <a href="https://www.wordfence.com/terms-of-service/" target="_blank" rel="noopener">terms of service</a> and
<a href="https://www.wordfence.com/privacy-policy/" target="_blank" rel="noopener">privacy policy</a>.<span class="hs-form-required">*</span></span></label></li>
</ul>
</div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="button button-small button-white" value="Sign Up"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1729668545612","formDefinitionUpdatedAt":"1692038112870","lang":"en","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36","pageTitle":"ElementInvader Addons for Elementor <= 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting","pageUrl":"https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/elementinvader-addons-for-elementor/elementinvader-addons-for-elementor-128-authenticated-contributor-stored-cross-site-scripting","isHubSpotCmsGeneratedPage":false,"formTarget":"#hubspot-form-0","rumScriptExecuteTime":2206.2000007629395,"rumTotalRequestTime":3513.7000007629395,"rumTotalRenderTime":3828.300000190735,"rumServiceResponseTime":1307.5,"rumFormRenderTime":314.5999994277954,"connectionType":"4g","firstContentfulPaint":0,"largestContentfulPaint":0,"locale":"en","timestamp":1729668546170,"originalEmbedContext":{"portalId":"4354010","formId":"7e580360-6f66-4d96-a898-0bd11eec900a","region":"na1","target":"#hubspot-form-0","isBuilder":false,"isTestPage":false,"isPreview":false,"css":"","cssClass":"dark","submitButtonClass":"button button-small button-white","translations":{"en":{"submitText":"Sign Up"}},"locale":"en","isMobileResponsive":true},"correlationId":"48bacda0-6470-47dd-b836-33123bbfa987","renderedFieldsIds":["email","tou_pp_agreement"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.6227","sourceName":"forms-embed","sourceVersion":"1.6227","sourceVersionMajor":"1","sourceVersionMinor":"6227","allPageIds":{},"_debug_embedLogLines":[{"clientTimestamp":1729668545832,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"ElementInvader Addons for Elementor <= 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting\",\"pageUrl\":\"https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/elementinvader-addons-for-elementor/elementinvader-addons-for-elementor-128-authenticated-contributor-stored-cross-site-scripting\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36\",\"isHubSpotCmsGeneratedPage\":false}"},{"clientTimestamp":1729668545840,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"DE\""}]}"><iframe
name="target_iframe_7e580360-6f66-4d96-a898-0bd11eec900a" style="display: none;"></iframe>
</form>Text Content
Have you been hacked? Get Help
Create Account
Sign In
* Products
* Our Products
* Wordfence Free
* Wordfence Premium
* Wordfence Care
* Wordfence Response
* Wordfence CLI
* Wordfence Intelligence
* Wordfence Central
* Compare Plans
* Intelligence
* Dashboard
* About
* Bug Bounty Program
* Vulnerabilities
* Researchers
* Plugins
* Themes
* WordPress Core
* API Access
* Webhook Integration
* Submit Vulnerability
* Support
* Documentation
* Learning Center
* Free Support
* Premium Support
* News
* Blog
* In The News
* WP Security Mailing List
* Vulnerability Advisories
* About
* About Wordfence
* Careers
* Security
* CVE Request Form
* Contact
* Privacy Policy
* Terms of Service
* View Pricing
*
* Products
* Wordfence Free
* Wordfence Premium
* Wordfence Care
* Wordfence Response
* Wordfence CLI
* Wordfence Intelligence
* Wordfence Central
* Compare Plans
* --------------------------------------------------------------------------------
* Intelligence
* Dashboard
* About
* Bug Bounty Program
* Vulnerabilities
* Researchers
* Plugins
* Themes
* WordPress Core
* API Access
* Webhook Integration
* Submit Vulnerability
* --------------------------------------------------------------------------------
* Support
* Documentation
* Learning Center
* Free Support
* Premium Support
* --------------------------------------------------------------------------------
* News
* Blog
* In The News
* WP Security Mailing List
* Vulnerability Advisories
* --------------------------------------------------------------------------------
* About
* About Wordfence
* Careers
* Security
* CVE Request Form
* Contact
* Privacy Policy
* Terms of Service
🦸 👻 Calling all superheroes and haunters! Introducing the Cybersecurity Month
Spooktacular Haunt and the WordPress Superhero Challenge for the Wordfence Bug
Bounty Program! Through November 11th, 2024, all in-scope vulnerability types
for WordPress plugins/themes with >= 1,000 active installations are in-scope for
ALL researchers, top-tier researchers earn automatic bonuses of between 10% to
120% for valid submissions, pending report limits are increased for all, and
it's possible to earn up to $31,200 for high impact vulnerabilities!
Review what's in scope for your tier and updated bounties with bonuses here!
As a reminder, the Wordfence Intelligence Vulnerability Database API is
completely free to query and utilize, both personally and commercially, and
contains all the same vulnerability data as the user interface. Please review
the API documentation and Webhook documentation for more information on how to
query the vulnerability API endpoints and configure webhooks utilizing all the
same data present in the Wordfence Intelligence user interface.
ELEMENTINVADER ADDONS FOR ELEMENTOR <= 1.2.8 - AUTHENTICATED (CONTRIBUTOR+)
STORED CROSS-SITE SCRIPTING
Wordfence Intelligence   >  Vulnerability Database   >  ElementInvader Addons
for Elementor <= 1.2.8 - Authenticated (Contributor+) Stored Cross-Site
Scripting
5.4
Improper Neutralization of Input During Web Page Generation ('Cross-site
Scripting')
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE CVE-2024-9888 CVSS 5.4 (Medium) Publicly Published October 15, 2024 Last
Updated October 16, 2024 Researcher Colin Xu
DESCRIPTION
The ElementInvader Addons for Elementor plugin for WordPress is vulnerable to
Stored Cross-Site Scripting via the plugin's contact form widget redirect URL in
all versions up to, and including, 1.2.8 due to insufficient input sanitization
and output escaping on user supplied attributes. This makes it possible for
authenticated attackers, with contributor-level access and above, to inject
arbitrary web scripts in pages that will execute whenever a user accesses an
injected page.
REFERENCES
* plugins.trac.wordpress.org
SHARE
Facebook
Twitter
LinkedIn
Email
VULNERABILITY DETAILS FOR ELEMENTINVADER ADDONS FOR ELEMENTOR
ELEMENTINVADER ADDONS FOR ELEMENTOR
Software Type Plugin Software Slug elementinvader-addons-for-elementor (view on
wordpress.org) Patched? Yes Remediation Update to version 1.2.9, or a newer
patched version Affected Version
* <= 1.2.8
Patched Version
* 1.2.9
This record contains material that is subject to copyright.
Copyright 2012-2024 Defiant Inc.
License: Defiant hereby grants you a perpetual, worldwide, non-exclusive,
no-charge, royalty-free, irrevocable copyright license to reproduce, prepare
derivative works of, publicly display, publicly perform, sublicense, and
distribute this software vulnerability information. Any copy of the software
vulnerability information you make for such purposes is authorized provided that
you include a hyperlink to this vulnerability record and reproduce Defiant's
copyright designation and this license in any such copy. Read more.
Copyright 1999-2024 The MITRE Corporation
License: CVE Usage: MITRE hereby grants you a perpetual, worldwide,
non-exclusive, no-charge, royalty-free, irrevocable copyright license to
reproduce, prepare derivative works of, publicly display, publicly perform,
sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy
you make for such purposes is authorized provided that you reproduce MITRE's
copyright designation and this license in any such copy. Read more.
Have information to add, or spot any errors? Contact us at
wfi-support@wordfence.com so we can make any appropriate adjustments.
Did you know Wordfence Intelligence provides free personal and commercial API
access to our comprehensive WordPress vulnerability database, along with a free
webhook integration to stay on top of the latest vulnerabilities added and
updated in the database? Get started today!
Learn more
Want to get notified of the latest vulnerabilities that may affect your
WordPress site?
Install Wordfence on your site today to get notified immediately if your site is
affected by a vulnerability that has been added to our database.
Get Wordfence
The Wordfence Intelligence WordPress vulnerability database is completely free
to access and query via API. Please review the documentation on how to access
and consume the vulnerability data via API.
Documentation
Our business hours are 9am-8pm ET, 6am-5pm PT and 2pm-1am UTC/GMT excluding
weekends and holidays.
Response customers receive 24-hour support, 365 days a year, with a 1-hour
response time.
* Terms of Service
* Privacy Policy and Notice at Collection
*
*
*
*
Products
* Wordfence Free
* Wordfence Premium
* Wordfence Care
* Wordfence Response
* Wordfence CLI
* Wordfence Intelligence
* Wordfence Central
Support
* Documentation
* Learning Center
* Free Support
* Premium Support
News
* Blog
* In The News
* Vulnerability Advisories
About
* About Wordfence
* Affiliate Program
* Careers
* Contact
* Security
* CVE Request Form
Stay Updated
Sign up for news and updates from our panel of experienced security
professionals.
Email*
* By checking this box I agree to the terms of service and privacy policy.*
© 2012-2024 Defiant Inc. All Rights Reserved
This site uses cookies in accordance with our Privacy Policy.
Cookie Settings Accept All
COOKIE OPTIONS
For additional information on how this site uses cookies, please review our
Privacy Policy. The cookies used by this site are classified into the following
categories and can be configured below.
STRICTLY NECESSARY
These Cookies are necessary for the Sites and Services to work properly. They
include any essential authentication and authorization cookies for the Services.
* Cookies of this category are necessary for the site to function and cannot be
disabled.
PERFORMANCE/ANALYTICAL
These Cookies allow us to collect certain information about how you navigate the
Sites or utilize the Services running on your device. They help us understand
which areas you use and what we can do to improve them.
TARGETING
These Cookies are used to deliver relevant information related to the Services
to an identified machine or other device (not a named or otherwise identifiable
person) which has previously been used to visit our Sites. Some of these types
of Cookies on our Sites are operated by third parties with our permission and
are used to identify advertising sources that are effectively driving customers
to our Sites.
Cancel Save