This vulnerability affects any WordPress website that utilises the Elementor Addon, Happy Addons for Elementor, and has been assigned CVE-2024-10538.
What’s the issue?
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the before_label parameter in the Image Comparison widget in all versions up to, and including, 3.12.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The addon has over 400,000+ active installations, and is a well known addon for the Elementor Plugin.
The addon developers have since patched this vulnerability in the latest 3.12.6 update on the 5th November 2024 👏
How Does This Affect Me?
If you’re using the Happy Addons for Elementor plugin on a WordPress site, it’s important to take action immediately and update the plugin to version 3.12.6. Failure to do so could result in your website being compromised by users looking to exploit this vulnerability. If you’re not using WordPress OR this plugin, no need to worry — this doesn’t affect you.
What Should I Do?
If the plugin is installed, you should update it to version 3.12.6 or higher as soon as possible. This update includes a fix for the security issue. If you have a WordPress Maintenance Agreement with us and are using this addon, we’ve already actioned this for you.