Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-4484 PoC — The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 5.5.2 - Authenticat

Source
https://github.com/Abo5/CVE-2024-4484
Associated Vulnerability
Title:The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 5.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting (CVE-2024-4484)
Description:The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘xai_username’ parameter in versions up to, and including, 5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Description
This script uses HTTParty to detect stored cross-site scripting (XSS) vulnerabilities in WordPress sites using the xai_username parameter. It sends a payload to the specified URL and checks if the payload is reflected in the response, indicating a vulnerability.
Readme
# CVE-2024-4484

---

### Cross-Site Scripting (XSS) Vulnerability Detector

This script uses `HTTParty` to detect stored cross-site scripting (XSS) vulnerabilities in WordPress sites using the `xai_username` parameter. It sends a payload to the specified URL and checks if the payload is reflected in the response, indicating a vulnerability.

#### Features
- Sends a POST request with a potential XSS payload.
- Checks if the response contains the payload, indicating a stored XSS vulnerability.
- Supports authentication by including cookies in the request.

---
File Snapshot

 [4.0K]  /data/pocs/3df3e38c2967e7de18f8256a675ecd0a1d67fb83
├── [ 843]  CVE-2024-4484.rb
└── [ 566]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →