Stored cross-site scripting available via the plugin’s fancy text widget due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
This vulnerability affects the following application versions:
- Essential Addons for Elementor 5.9.1
- Essential Addons for Elementor 5.9.2
- Essential Addons for Elementor 5.9.3
- Essential Addons for Elementor 5.9.4
- Essential Addons for Elementor 5.9.5
- Essential Addons for Elementor 5.9.6
- Essential Addons for Elementor 5.9.7
- Essential Addons for Elementor 5.9.8
- Essential Addons for Elementor 5.9.9
- Essential Addons for Elementor 5.9.10
- Essential Addons for Elementor 5.9.11
- Essential Addons for Elementor 5.9.12
- Essential Addons for Elementor 5.9.13
- Essential Addons for Elementor 5.9.14
- Essential Addons for Elementor 5.9.15
- Essential Addons for Elementor 5.9.16
- Essential Addons for Elementor 5.9.17
- Essential Addons for Elementor 5.9.18
- Essential Addons for Elementor 5.9.19
- Essential Addons for Elementor 5.9.20
- Essential Addons for Elementor 5.9.21
- Essential Addons for Elementor 5.9.22
- Essential Addons for Elementor 5.9.23
- Essential Addons for Elementor 5.9.24
- Essential Addons for Elementor 5.9.25
- Essential Addons for Elementor 5.9.26
- Essential Addons for Elementor 5.9.27
- Essential Addons for Elementor 6.0.0
- Essential Addons for Elementor 6.0.1
- Essential Addons for Elementor 6.0.2
- Essential Addons for Elementor 6.0.3