CVE-2024-10325
Elementor Header & Footer Builder <= 1.6.45 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File UploadThe Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.6.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
We have discovered 73,419 live websites that are affected by CVE-2024-10325.
Affected Software
| Product |  Header Footer and Blocks for Elementor |
| Category | Wordpress Plugins |
| Vulnerable Domains | 73,419 live websites (28% of Header Footer and Blocks for Elementor install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 80 versions ( 71% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Nov 8, 2024
- Updated - Nov 8, 2024
Credits
- Francesco Carlucci (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2024-10325 United States | 15,023 websites |
 Germany | 6,765 websites |
 France | 4,447 websites |
 GB | 3,334 websites |
 Brazil | 2,960 websites |
 India | 2,838 websites |
 Russia | 2,761 websites |
 Italy | 2,699 websites |
 Spain | 2,669 websites |
 Poland | 2,428 websites |
Website Distribution by TLD
Number of websites using CVE-2024-10325| .com | 28,784 websites |
| .de | 3,022 websites |
| .org | 2,757 websites |
| .com.br | 2,719 websites |
| .ru | 2,189 websites |
| .it | 1,884 websites |
| .pl | 1,868 websites |
| .co.uk | 1,824 websites |
| .fr | 1,820 websites |
| .nl | 1,534 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-10325
Top websites that are affected by CVE-2024-10325. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ******.com | United States | *,*** | |
| **********.com | United States | *,*** | |
| *******.co |  Serbia | **,*** | |
| *****.com | United States | **,*** | |
| ***.com | United States | **,*** | |
| *****.es | Spain | **,*** | |
| *******.com | United States | **,*** | |
| ***********.org | United States | **,*** | |
| ****.com | United States | **,*** | |
| ********.me | United States | **,*** |
FAQ
CVE-2024-10325 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Header Footer and Blocks for Elementor
A total of 73,419 websites have been identified as vulnerable to CVE-2024-10325, based on global website indexing conducted by WebTechSurvey.
The Header Footer and Blocks for Elementor is affected by the CVE-2024-10325 vulnerability.
Header Footer and Blocks for Elementor versions up to and including 1.6.45 are vulnerable to CVE-2024-10325.