CVE-2024-0838 in Happy Addons for Elementor Plugin
Summary
by MITRE • 02/29/2024
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the side image URL parameter in the Age Gate in all versions up to, and including, 3.10.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-29108 is likely a duplicate of this issue.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/12/2026
The vulnerability identified as CVE-2024-0838 affects the Happy Addons for Elementor WordPress plugin, specifically targeting the Age Gate feature implementation. This represents a critical security flaw that enables attackers to execute persistent cross-site scripting attacks through a carefully crafted input parameter. The vulnerability exists within the side image URL parameter handling mechanism, where the plugin fails to properly sanitize user-supplied input before storing and later rendering it on web pages. The issue impacts all versions of the plugin up to and including version 3.10.1, making it a widespread concern for WordPress installations that utilize this popular page builder extension. The vulnerability's classification as stored XSS indicates that malicious scripts are permanently stored on the server and executed whenever affected pages are accessed by unsuspecting users, creating a persistent threat vector that can affect multiple visitors over time.
The technical exploitation of this vulnerability requires an authenticated attacker with contributor-level privileges or higher, which significantly reduces the attack surface compared to unauthenticated XSS vulnerabilities. However, the impact remains severe as contributors typically have substantial editing capabilities within WordPress environments, potentially allowing attackers to compromise entire sites through this single vulnerability. The root cause stems from inadequate input sanitization practices combined with insufficient output escaping mechanisms within the plugin's codebase. This failure to properly validate and escape user input creates a direct pathway for malicious script injection, where attacker-controlled JavaScript code can be seamlessly integrated into the plugin's rendering process. The vulnerability demonstrates a classic weakness in web application security where input validation occurs too late in the processing chain or not at all, allowing malicious payloads to bypass security measures and persist within the application's data storage.
The operational impact of CVE-2024-0838 extends beyond simple script execution, potentially enabling attackers to perform session hijacking, steal sensitive user data, redirect victims to malicious sites, or even escalate their privileges within the compromised WordPress environment. When authenticated users access pages containing the injected scripts, the malicious code executes in their browser context, providing attackers with a powerful foothold for further exploitation. This vulnerability directly maps to CWE-79 which describes Cross-Site Scripting vulnerabilities, and aligns with ATT&CK technique T1566.001 for Initial Access through Spearphishing Attachments, as the malicious scripts could be used to deliver additional payloads or establish command and control channels. The persistent nature of stored XSS means that once the malicious code is injected, it continues to affect users until the vulnerability is patched and the malicious content is removed from the database, creating a long-term security risk for affected installations.
Organizations affected by this vulnerability should immediately implement mitigations including upgrading to the latest version of the Happy Addons plugin where the XSS flaw has been addressed. Security administrators should also consider implementing additional monitoring for suspicious user activities and input validation within the Elementor plugin ecosystem. The vulnerability highlights the critical importance of proper input sanitization and output escaping practices in web application development, particularly for plugins that handle user-generated content. Regular security audits of WordPress plugins and themes should be conducted to identify similar vulnerabilities, and automated scanning tools should be employed to detect potential XSS vectors in custom implementations. Additionally, implementing proper access controls and privilege management within WordPress installations can help limit the potential damage from such authenticated vulnerabilities, ensuring that only trusted users have the ability to modify critical plugin configurations that could introduce security risks.