CVE-2024-1393 in Elementor Addon Elements Plugin
Summary
by MITRE • 03/13/2024
The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'icon_align' attribute of the Content Switcher widget in all versions up to, and including, 1.12.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/19/2025
The vulnerability identified as CVE-2024-1393 affects the Elementor Addon Elements plugin for WordPress, specifically targeting the Content Switcher widget implementation. This security flaw exists within all versions up to and including 1.12.12, creating a significant risk for WordPress installations that utilize this plugin. The vulnerability manifests as a stored cross-site scripting issue that occurs when processing the 'icon_align' attribute parameter, demonstrating a critical weakness in the plugin's input validation and output escaping mechanisms.
The technical exploitation of this vulnerability occurs through insufficient sanitization of user-supplied input data within the Content Switcher widget's 'icon_align' attribute. This attribute accepts user-provided values that are not properly validated or escaped before being stored and subsequently rendered in web pages. The flaw allows authenticated attackers who possess contributor-level permissions or higher to inject malicious JavaScript code into the plugin's configuration parameters. When legitimate users access pages containing these stored malicious scripts, the injected code executes in their browsers, creating a persistent cross-site scripting attack vector. This vulnerability operates under the CWE-79 classification as a cross-site scripting flaw, specifically categorized as a stored XSS vulnerability where malicious input is permanently stored and executed.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers with contributor-level access to potentially compromise entire WordPress installations. Once an attacker successfully injects malicious scripts, they can perform actions such as stealing user session cookies, redirecting users to malicious sites, defacing content, or even executing further attacks through the compromised user sessions. The vulnerability's persistence stems from its stored nature, meaning that the malicious scripts remain active until manually removed from the plugin's configuration, potentially affecting multiple users over extended periods. This makes the vulnerability particularly dangerous for collaborative environments where multiple contributors have access to the WordPress admin interface.
Security mitigations for CVE-2024-1393 should prioritize immediate plugin updates to versions that address the input sanitization and output escaping deficiencies. Organizations should implement strict access controls and privilege management to limit contributor-level access to only trusted personnel. Additionally, regular security audits of WordPress plugins and themes should include verification of input validation mechanisms and output escaping practices. The vulnerability aligns with ATT&CK technique T1566.001 for initial access through malicious file downloads and T1059.001 for execution through script injection, making it a critical target for defensive measures. Administrators should also consider implementing web application firewalls and content security policies to provide additional layers of protection against such attacks. Regular monitoring of plugin updates and security advisories from WordPress.org and the plugin developers remains essential for maintaining security posture against similar vulnerabilities.