Unrated severityNVD Advisory· Published Feb 13, 2025· Updated Apr 8, 2026

DethemeKit For Elementor <= 2.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via De Gallery Widget

CVE-2024-13644

Description

The DethemeKit For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's De Gallery widget in all versions up to, and including, 2.1.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Detheme/Dethemekit For Elementorllm-fuzzy2 versions
<=2.1.8+ 1 more
- (no CPE)range: <=2.1.8
- (no CPE)range: 0
WordPress/Dethemekit For Elementorwp-canonicalize
Package: https://wordpress.org/plugins/dethemekit-for-elementor

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000

DethemeKit For Elementor <= 2.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via De Gallery Widget

Description

AI Insight

Affected products

Patches

Vulnerability mechanics

References

News mentions