The Plus Addons for Elementor plugin for WordPress was vulnerable to Authenticated (Contributor+) Stored Cross-Site Scripting via the Button widget's `custom_attributes` setting in versions up to and including 6.4.11. The `render` function in `modules/widgets/tp_button.php` passed the raw `custom_attributes` string through `tp_senitize_js_input()`. This filter is bypassable. The issue is patched in versio [truncated]
The Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'commentIcon' parameter in all versions up to, and including, 4.7.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages, wh [truncated]
A stored cross-site scripting (XSS) vulnerability exists in The Plus Addons for Elementor WordPress plugin, affecting versions up to and including 6.4.15. The flaw resides in the Carousel Anything widget's render() function, where the 'carousel_direction' parameter is inserted into an unquoted HTML dir= attribute. Although esc_attr() is applied, the unquoted attribute context permits attribute injection, [truncated]