CVE-2024-1326 in Jeg Elementor Kit Plugininfo

Summary

by MITRE • 03/21/2024

The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via HTML Tag attributes in all versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-29101 is likely a duplicate of this issue.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 04/13/2026

The Jeg Elementor Kit plugin for WordPress presents a significant security vulnerability classified as stored cross-site scripting that affects versions up to and including 262. This weakness stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase, creating a persistent vector for malicious code injection. The vulnerability specifically targets HTML tag attributes, allowing attackers to embed malicious scripts that execute in the context of other users' browsers when they access compromised pages. The security implications are particularly concerning given that authenticated attackers with contributor-level permissions or higher can exploit this flaw, bypassing typical user access controls that should prevent such privilege escalation.

The technical flaw manifests in the plugin's failure to properly validate and sanitize user inputs that are subsequently rendered in HTML attributes without adequate escaping mechanisms. When administrators or contributors create or modify content through the Elementor interface, the plugin processes these inputs without sufficient security checks, allowing potentially malicious HTML attributes to be stored in the database. This stored data is then served to other users without proper sanitization, creating a classic stored XSS attack vector where the malicious script executes in the victim's browser context. The vulnerability operates at the application layer and specifically affects the plugin's handling of HTML attributes, making it particularly dangerous as it can be exploited through legitimate content creation workflows.

The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the ability to perform actions on behalf of legitimate users. An attacker with contributor privileges could inject scripts that steal session cookies, redirect users to malicious sites, or even modify content on the target website. The stored nature of the vulnerability means that the malicious code persists even after the initial injection, continuously affecting any user who accesses the compromised pages. This persistent threat can be leveraged for credential theft, data exfiltration, or as a stepping stone for further attacks within the compromised WordPress environment, potentially leading to full administrative control of the site.

Security professionals should implement immediate mitigations including updating to the latest plugin version where this vulnerability has been patched, implementing proper input validation at multiple layers, and conducting thorough security audits of all installed plugins. Organizations should also consider implementing content security policies to limit the execution of unauthorized scripts, monitor for suspicious user activities, and review user permissions to ensure that only trusted individuals have contributor or higher privileges. The vulnerability aligns with CWE-79 which describes cross-site scripting flaws, and represents a clear violation of the principle of least privilege as defined in security best practices. Additionally, this weakness maps to ATT&CK technique T1548.003 which involves exploiting application permissions to gain elevated access, making it a critical concern for organizations relying on WordPress platforms.

Responsible

Wordfence

Reservation

02/07/2024

Disclosure

03/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00505

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!