| Plugin Name | themesflat-addons-for-elementor |
|---|---|
| Type of Vulnerability | Cross-Site Scripting (XSS) |
| CVE Number | CVE-2024-4212 |
| Urgency | Medium |
| CVE Publish Date | 2026-02-02 |
| Source URL | CVE-2024-4212 |
themesflat-addons-for-elementor — Reflected XSS (CVE-2024-4212)
Author: Hong Kong Security Expert — advisory and operational guidance for site administrators and developers.
Executive summary
On 2026-02-02 a Cross‑Site Scripting (XSS) vulnerability affecting the WordPress plugin themesflat-addons-for-elementor was published as CVE-2024-4212. The issue is a reflected/DOM-based XSS caused by insufficient input validation and improper output escaping in one or more widgets provided by the plugin. An attacker can craft a URL or user-controlled input that, when rendered by a victim’s browser, results in execution of arbitrary JavaScript in the context of the vulnerable site.
Technical details (concise)
- Vulnerability class: Cross‑Site Scripting (reflected / DOM).
- Root cause: failure to properly sanitize and escape user-controlled input before inserting into HTML or attributes rendered by Elementor widgets.
- Likely vectors: query parameters, widget settings that accept free-text or URL values, and attributes that are printed into markup without esc_html/esc_attr or proper wp_kses filtering.
- Exploitability: requires victim to visit a crafted URL or interact with content that reflects attacker-supplied input; social engineering is a likely delivery mechanism.
Affected versions
All known releases that do not contain the vendor’s fix are affected. Administrators should consult the plugin changelog or the plugin repository page to identify the patched release. If you cannot determine the safe version, assume your current installation is affected until proven otherwise.
