CVE-2024-37565 in Gum Elementor Addon Plugininfo

Summary

by MITRE • 07/20/2024

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in TemeGUM Gum Elementor Addon allows Stored XSS.This issue affects Gum Elementor Addon: from n/a through 1.3.5.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 03/17/2025

The vulnerability identified as CVE-2024-37565 represents a critical security flaw in the TemeGUM Gum Elementor Addon that enables stored cross-site scripting attacks through improper input sanitization during web page generation. This vulnerability falls under the Common Weakness Enumeration category CWE-79, which specifically addresses cross-site scripting flaws where web applications fail to properly neutralize user-supplied input before incorporating it into dynamic web content. The weakness manifests when the addon processes user input without adequate validation or sanitization, creating an environment where malicious scripts can be persistently stored and executed within the context of other users' browsers.

The technical exploitation of this vulnerability occurs when an attacker submits malicious input through the addon's interface, which is then stored in the application's database or storage mechanism. When other users view pages generated by the addon, their browsers execute the stored malicious scripts without proper sanitization or escaping. This stored XSS vulnerability is particularly dangerous because the malicious code persists even after the initial submission, allowing attackers to compromise multiple users over time. The vulnerability affects all versions of the Gum Elementor Addon from the initial release through version 1.3.5, indicating a long-standing issue that has not been properly addressed.

From an operational perspective, this vulnerability poses significant risks to websites utilizing the TemeGUM Gum Elementor Addon. Attackers can exploit this flaw to steal session cookies, perform unauthorized actions on behalf of users, redirect victims to malicious sites, or even deface website content. The stored nature of the vulnerability means that the attack can affect multiple users without requiring repeated exploitation attempts, making it particularly effective for mass compromise scenarios. The impact extends beyond simple data theft to include potential complete system compromise if attackers can leverage the stored scripts to execute additional malicious payloads or establish persistent backdoors.

Organizations using affected versions of the Gum Elementor Addon should implement immediate mitigation strategies including upgrading to the latest available version that addresses this vulnerability, implementing web application firewalls to detect and block malicious input patterns, and conducting thorough security assessments of all user-generated content processing mechanisms. Additionally, administrators should review and implement proper input validation and output encoding practices as recommended by the OWASP Top Ten Project and the ATT&CK framework's T1566 technique for credential access through web application attacks. The vulnerability also highlights the importance of regular security updates and the need for comprehensive security testing of third-party plugins and addons before deployment in production environments.

Responsible

Patchstack

Reservation

06/09/2024

Disclosure

07/20/2024

Moderation

accepted

CPE

ready

EPSS

0.00275

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!