CVE-2024-3889
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Advanced Accordion widget in all versions up to, and including, 1.3.971 due to insufficient input sanitization and output escaping on user supplied attributes like 'accordion_title_tag'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
We have discovered 9,279 live websites that are affected by CVE-2024-3889.
Affected Software
| Product |  Royal Elementor Addons |
| Category | Wordpress Plugins |
| Vulnerable Domains | 9,279 live websites (17.92% of Royal Elementor Addons install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 85 versions ( 70.83% of all versions) |
Details
- Published - Apr 23, 2024
- Updated - Aug 1, 2024
Credits
- Ngô Thiên An (finder)
CVE References
CVE-2024-3889 usage by Country
 United States | 2,384 websites |
 Germany | 1,307 websites |
 France | 783 websites |
 Cyprus | 527 websites |
 Brazil | 494 websites |
 Russia | 360 websites |
 Italy | 278 websites |
 GB | 269 websites |
 Poland | 237 websites |
 Spain | 219 websites |
CVE-2024-3889 usage by TLD
| .com | 3,574 websites |
| .com.br | 756 websites |
| .de | 420 websites |
| .org | 348 websites |
| .fr | 319 websites |
| .ru | 311 websites |
| .it | 248 websites |
| .pl | 187 websites |
| .net | 165 websites |
| .co.uk | 133 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2024-3889
Top websites that are affected by CVE-2024-3889. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| **********.com | United States | **,*** | |
| *********.com | United States | **,*** | |
| *********.com | United States | **,*** | |
| ******.com | United States | **,*** | |
| ***********.net | United States | **,*** | |
| *****.clinic |  Israel | **,*** | |
| ************.com | United States | ***,*** | |
| ******.org | GB | ***,*** | |
| ******.me | United States | ***,*** | |
| **********.com | United States | ***,*** |
FAQ
A total of 9,279 websites have been identified as vulnerable to CVE-2024-3889, discovered through global website indexing conducted by WebTechSurvey.
Royal Elementor Addons is susceptible to CVE-2024-3889 vulnerability.
Royal Elementor Addons versions before, and including, 1.3.971 are vulnerable to CVE-2024-3889.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/83ea2ec3-5d5b-44ea-83e6-41c4fa6e2e5f?source=cve
- https://plugins.trac.wordpress.org/changeset/3072880/royal-elementor-addons/tags/1.3.972/modules/advanced-accordion/widgets/wpr-advanced-accordion.php?old=3069462&old_path=royal-elementor-addons%2Ftags%2F1.3.971%2Fmodules%2Fadvanced-accordion%2Fwidgets%2Fwpr-advanced-accordion.php