CVE-2024-10266 in Premium Addons for Elementor Plugin
Summary
by MITRE • 10/29/2024
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Video Box widget in all versions up to, and including, 4.10.60 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/11/2026
The Premium Addons for Elementor plugin represents a widely used WordPress extension that enhances website functionality through various widgets and features. The vulnerability exists within the Video Box widget implementation, which processes user-supplied attributes without adequate sanitization measures. This flaw affects all versions up to and including 4.10.60, creating a persistent security risk for WordPress installations that utilize this plugin. The vulnerability is classified as stored cross-site scripting because malicious scripts are permanently stored within the plugin's data structures and executed whenever affected pages are accessed by unsuspecting users.
The technical exploitation of this vulnerability occurs through insufficient input sanitization and output escaping mechanisms within the plugin's codebase. When authenticated attackers with contributor-level access or higher submit malicious content through the Video Box widget, the plugin fails to properly validate or escape user input before storing it in the database. This allows attackers to inject arbitrary web scripts that are then executed in the context of other users' browsers when they view pages containing the malicious content. The vulnerability specifically targets the handling of user-supplied attributes within the widget's processing logic, creating a persistent threat vector that can affect multiple users simultaneously.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to perform various malicious activities including credential theft, session hijacking, and data exfiltration. Since the vulnerability requires only contributor-level access, it represents a significant risk for WordPress sites that do not properly enforce user access controls or monitor contributor activities. The stored nature of the vulnerability means that once injected, malicious scripts remain active until manually removed from the database, potentially affecting all users who access affected pages. This makes the vulnerability particularly dangerous in environments where multiple contributors have access to the WordPress administration interface.
Security practitioners should implement immediate mitigations including upgrading to the latest version of the Premium Addons for Elementor plugin where the vulnerability has been addressed. The vulnerability aligns with CWE-79 which describes improper neutralization of input during web page generation in a web application, and maps to ATT&CK technique T1566.001 for the initial access phase. Organizations should also implement additional security measures such as regular security audits of third-party plugins, monitoring of contributor activities, and implementation of web application firewalls to detect and prevent malicious script injection attempts. The vulnerability demonstrates the critical importance of input validation and output escaping in preventing cross-site scripting attacks, particularly in content management systems where user-generated content is processed and stored.