CVE-2024-0586 in Essential Addons for Elementor Plugin
Summary
by MITRE • 02/06/2024
The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Login/Register Element in all versions up to, and including, 5.9.4 due to insufficient input sanitization and output escaping on the custom login URL. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/11/2026
The vulnerability identified as CVE-2024-0586 affects the Essential Addons for Elementor plugin, a popular WordPress plugin that provides various templates, widgets, and builders for the Elementor page builder. This particular flaw exists within the Login/Register Element functionality and impacts all versions up to and including 5.9.4. The issue stems from inadequate input sanitization and output escaping mechanisms that fail to properly handle user-supplied data when processing custom login URLs. Attackers exploiting this vulnerability can leverage the stored XSS vector to inject malicious scripts that persist in the plugin's data storage, making the attack particularly dangerous as it can affect multiple users over time.
The technical nature of this vulnerability places it squarely within the CWE-79 category of Cross-Site Scripting, specifically classified as a stored XSS attack where malicious scripts are permanently stored on the server and executed when other users access affected pages. The vulnerability requires authenticated access with contributor-level permissions or higher, which means that attackers must first compromise a user account with at least contributor privileges or higher. This access level allows them to modify plugin settings and inject malicious code through the Login/Register Element configuration, particularly targeting the custom login URL field where insufficient sanitization occurs.
The operational impact of this vulnerability is significant as it enables attackers to execute arbitrary web scripts in the context of affected websites. When legitimate users access pages containing the stored malicious content, the injected scripts execute automatically, potentially leading to session hijacking, data theft, or further compromise of the WordPress installation. The vulnerability affects not just individual users but can potentially impact entire website communities, especially in multi-user environments where contributors and higher-level users have access to plugin configuration. The stored nature of the XSS means that the malicious code remains active until manually removed by administrators, creating an ongoing security risk.
Security mitigations for this vulnerability should focus on immediate plugin updates to versions that address the sanitization and escaping issues. Administrators should also implement strict access controls and monitor user accounts for unauthorized access, particularly for users with contributor-level permissions or higher. The recommended approach includes applying the latest security patches from the plugin developers, implementing web application firewalls that can detect and block XSS attempts, and conducting regular security audits of plugin configurations. Additionally, organizations should consider implementing content security policies to limit the execution of unauthorized scripts and establish monitoring procedures for detecting unauthorized modifications to plugin settings. This vulnerability highlights the importance of proper input validation and output escaping practices as outlined in the OWASP Top Ten and aligns with ATT&CK technique T1566.002 for credential access through web application attacks.