CVE-2024-1237 in Elementor Header & Footer Builder Plugininfo

Summary

by MITRE • 03/13/2024

The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the flyout_layout attribute in all versions up to, and including, 1.6.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/12/2026

The vulnerability identified as CVE-2024-1237 affects the Elementor Header & Footer Builder plugin for WordPress, specifically targeting versions up to and including 1.6.24. This represents a critical security flaw that undermines the integrity of WordPress sites utilizing this popular page builder extension. The vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase, creating a persistent security risk that can be exploited by malicious actors with relatively low privileges.

The technical flaw manifests through the flyout_layout attribute which fails to properly sanitize user input before processing and rendering. This allows authenticated attackers who possess contributor-level access or higher to inject malicious scripts into the plugin's administrative interface. The vulnerability is classified as stored cross-site scripting since the malicious code is permanently stored within the application's database and executes whenever affected pages are accessed by any user, regardless of their privilege level. This characteristic transforms what might initially appear as a limited administrative vulnerability into a widespread security threat that can impact all site visitors.

The operational impact of this vulnerability extends far beyond simple script injection, as it provides attackers with the capability to execute arbitrary web scripts within the context of the victim's browser session. This could enable attackers to steal user credentials, session cookies, or perform unauthorized actions on behalf of authenticated users. The vulnerability's persistence means that once exploited, the malicious scripts remain active until manually removed by administrators, potentially allowing for extended periods of unauthorized access and data exfiltration. The attack vector is particularly concerning because it requires only contributor-level privileges, which are often granted to trusted users who may not be fully security-aware.

Mitigation strategies for this vulnerability should prioritize immediate plugin updates to versions that address the sanitization and escaping deficiencies. Organizations should implement comprehensive access control measures, limiting contributor privileges to only essential users who require administrative capabilities. Additionally, regular security audits of installed plugins and themes should be conducted to identify similar vulnerabilities. The vulnerability aligns with CWE-79 which describes cross-site scripting flaws, and maps to ATT&CK technique T1566 which covers social engineering tactics. Security monitoring should include detection of unusual administrative activities and script injections in content management systems. System administrators should also consider implementing web application firewalls and content security policies to provide additional layers of protection against such attacks.

Responsible

Wordfence

Reservation

02/05/2024

Disclosure

03/13/2024

Moderation

accepted

CPE

ready

EPSS

0.00514

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!