Search criteria
4 vulnerabilities found for Zita Site Library for Elementor by wpzita
CVE-2024-8921 (GCVE-0-2024-8921)
Vulnerability from nvd – Published: 2024-10-16 11:03 – Updated: 2026-04-08 17:23
VLAI?
Title
Zita Elementor Site Library <= 1.6.3 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Summary
The Zita Elementor Site Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpzita | Zita Site Library for Elementor |
Affected:
0 , ≤ 1.6.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8921",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-16T12:56:57.564193Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T12:57:15.360Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Zita Site Library for Elementor",
"vendor": "wpzita",
"versions": [
{
"lessThanOrEqual": "1.6.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francesco Carlucci"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Zita Elementor Site Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:23:41.440Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cc1c76ee-078d-4c9a-a4d3-063d9147d7e8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/zita-site-library/trunk/importer/wxr-importer.php#L160"
},
{
"url": "https://plugins.trac.wordpress.org/browser/zita-site-library/trunk/inc/importer.php#L148"
},
{
"url": "https://wordpress.org/plugins/zita-site-library/#developers"
},
{
"url": "https://wpzita.com/changelog/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3168327/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-10-15T21:49:51.000Z",
"value": "Disclosed"
}
],
"title": "Zita Elementor Site Library \u003c= 1.6.3 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-8921",
"datePublished": "2024-10-16T11:03:11.641Z",
"dateReserved": "2024-09-16T22:52:56.334Z",
"dateUpdated": "2026-04-08T17:23:41.440Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-3249 (GCVE-0-2024-3249)
Vulnerability from nvd – Published: 2024-06-25 06:57 – Updated: 2026-04-08 16:57
VLAI?
Title
Zita Elementor Site Library <= 1.6.2 - Missing Authorization to Page Creation and Options Modification
Summary
The Zita Elementor Site Library plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the import_xml_data, xml_data_import, import_option_data, import_widgets, and import_customizer_settings functions in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to create pages, update certain options, including WooCommerce page titles and Elementor settings, import widgets, and update the plugin's customizer settings and the WordPress custom CSS. NOTE: This vulnerability was partially fixed in version 1.6.2.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpzita | Zita Site Library for Elementor |
Affected:
0 , ≤ 1.6.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3249",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T14:33:01.420484Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T14:33:11.366Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:05:08.365Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/62bc3794-a2c2-4c1a-b1c9-2be6e2526635?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3100431/zita-site-library"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3105478/zita-site-library"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Zita Site Library for Elementor",
"vendor": "wpzita",
"versions": [
{
"lessThanOrEqual": "1.6.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Zita Elementor Site Library plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the import_xml_data, xml_data_import, import_option_data, import_widgets, and import_customizer_settings functions in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to create pages, update certain options, including WooCommerce page titles and Elementor settings, import widgets, and update the plugin\u0027s customizer settings and the WordPress custom CSS. NOTE: This vulnerability was partially fixed in version 1.6.2."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:57:09.162Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/62bc3794-a2c2-4c1a-b1c9-2be6e2526635?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3100431/zita-site-library"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3105478/zita-site-library"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-04T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-06-24T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Zita Elementor Site Library \u003c= 1.6.2 - Missing Authorization to Page Creation and Options Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-3249",
"datePublished": "2024-06-25T06:57:38.060Z",
"dateReserved": "2024-04-02T23:57:51.528Z",
"dateUpdated": "2026-04-08T16:57:09.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-8921 (GCVE-0-2024-8921)
Vulnerability from cvelistv5 – Published: 2024-10-16 11:03 – Updated: 2026-04-08 17:23
VLAI?
Title
Zita Elementor Site Library <= 1.6.3 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Summary
The Zita Elementor Site Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpzita | Zita Site Library for Elementor |
Affected:
0 , ≤ 1.6.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8921",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-16T12:56:57.564193Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T12:57:15.360Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Zita Site Library for Elementor",
"vendor": "wpzita",
"versions": [
{
"lessThanOrEqual": "1.6.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francesco Carlucci"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Zita Elementor Site Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:23:41.440Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cc1c76ee-078d-4c9a-a4d3-063d9147d7e8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/zita-site-library/trunk/importer/wxr-importer.php#L160"
},
{
"url": "https://plugins.trac.wordpress.org/browser/zita-site-library/trunk/inc/importer.php#L148"
},
{
"url": "https://wordpress.org/plugins/zita-site-library/#developers"
},
{
"url": "https://wpzita.com/changelog/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3168327/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-10-15T21:49:51.000Z",
"value": "Disclosed"
}
],
"title": "Zita Elementor Site Library \u003c= 1.6.3 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-8921",
"datePublished": "2024-10-16T11:03:11.641Z",
"dateReserved": "2024-09-16T22:52:56.334Z",
"dateUpdated": "2026-04-08T17:23:41.440Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-3249 (GCVE-0-2024-3249)
Vulnerability from cvelistv5 – Published: 2024-06-25 06:57 – Updated: 2026-04-08 16:57
VLAI?
Title
Zita Elementor Site Library <= 1.6.2 - Missing Authorization to Page Creation and Options Modification
Summary
The Zita Elementor Site Library plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the import_xml_data, xml_data_import, import_option_data, import_widgets, and import_customizer_settings functions in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to create pages, update certain options, including WooCommerce page titles and Elementor settings, import widgets, and update the plugin's customizer settings and the WordPress custom CSS. NOTE: This vulnerability was partially fixed in version 1.6.2.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpzita | Zita Site Library for Elementor |
Affected:
0 , ≤ 1.6.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3249",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T14:33:01.420484Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T14:33:11.366Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:05:08.365Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/62bc3794-a2c2-4c1a-b1c9-2be6e2526635?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3100431/zita-site-library"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3105478/zita-site-library"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Zita Site Library for Elementor",
"vendor": "wpzita",
"versions": [
{
"lessThanOrEqual": "1.6.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Zita Elementor Site Library plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the import_xml_data, xml_data_import, import_option_data, import_widgets, and import_customizer_settings functions in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to create pages, update certain options, including WooCommerce page titles and Elementor settings, import widgets, and update the plugin\u0027s customizer settings and the WordPress custom CSS. NOTE: This vulnerability was partially fixed in version 1.6.2."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:57:09.162Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/62bc3794-a2c2-4c1a-b1c9-2be6e2526635?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3100431/zita-site-library"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3105478/zita-site-library"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-04T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-06-24T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Zita Elementor Site Library \u003c= 1.6.2 - Missing Authorization to Page Creation and Options Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-3249",
"datePublished": "2024-06-25T06:57:38.060Z",
"dateReserved": "2024-04-02T23:57:51.528Z",
"dateUpdated": "2026-04-08T16:57:09.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}