CVE-2024-1465 in Elementor Addons Plugininfo

Summary

by MITRE • 04/09/2024

The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘carousel_skin’ attribute of the Posts Carousel widget in all versions up to, and including, 8.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/14/2026

The vulnerability identified as CVE-2024-1465 affects the Elementor Addons by Livemesh plugin for WordPress, specifically targeting the Posts Carousel widget's 'carousel_skin' attribute. This represents a critical stored cross-site scripting flaw that has been present in all versions up to and including 8.3.4. The vulnerability stems from inadequate input sanitization and insufficient output escaping mechanisms within the plugin's codebase, creating a persistent security risk that can be exploited by attackers with relatively low privileges.

The technical implementation of this vulnerability allows authenticated attackers who possess contributor-level access or higher to inject malicious scripts into the plugin's carousel_skin parameter. When this parameter is processed and rendered in the user interface, the malicious code executes within the context of the victim's browser session. This stored nature of the vulnerability means that once the malicious payload is injected, it remains persistent and will execute automatically whenever any user accesses a page containing the compromised carousel element. The vulnerability operates at the application layer and directly impacts the integrity of the WordPress content management system.

From an operational perspective, this vulnerability creates significant risks for WordPress sites utilizing the affected plugin. Attackers can leverage this flaw to execute arbitrary web scripts, potentially leading to session hijacking, data theft, or further escalation of privileges within the WordPress environment. The requirement for only contributor-level access makes this vulnerability particularly concerning as it can be exploited by users who should normally have limited administrative capabilities. The impact extends beyond simple script execution, as the malicious scripts can access cookies, localStorage, and other browser-based data that may contain sensitive information or session tokens.

Security professionals should consider this vulnerability in relation to CWE-79 which specifically addresses cross-site scripting flaws in web applications. The ATT&CK framework categorizes this as a technique involving code injection within web applications, potentially leading to privilege escalation and persistent access within the compromised environment. Organizations should immediately implement mitigation strategies including updating to the latest plugin version, implementing strict input validation, and conducting thorough security audits of all third-party plugins. Additionally, administrators should consider implementing web application firewalls and monitoring for suspicious user activities that might indicate exploitation attempts. The vulnerability highlights the importance of proper sanitization and escaping mechanisms in web applications, particularly when handling user-provided content in CMS environments where multiple user roles exist with varying levels of access privileges.

Responsible

Wordfence

Reservation

02/12/2024

Disclosure

04/09/2024

Moderation

accepted

CPE

ready

EPSS

0.00427

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!