CVE-2024-1466 in Elementor Addons Plugin
Summary
by MITRE • 04/09/2024
The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘slider_style’ attribute of the Posts Multislider widget in all versions up to, and including, 8.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-27986 may be a duplicate of this issue.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/14/2026
The vulnerability identified as CVE-2024-1466 affects the Elementor Addons by Livemesh plugin for WordPress, specifically targeting the Posts Multislider widget functionality. This security flaw exists in all plugin versions up to and including 8.3.4, representing a significant risk to WordPress sites that utilize this popular page builder extension. The vulnerability manifests as a stored cross-site scripting vulnerability that occurs when the 'slider_style' attribute is manipulated within the widget configuration interface.
The technical root cause of this vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase. When authenticated users with contributor-level permissions or higher interact with the Posts Multislider widget, they can inject malicious JavaScript code through the slider_style parameter. This code gets stored within the WordPress database and subsequently executed whenever any user accesses pages containing the affected widget. The vulnerability operates under CWE-79 which categorizes cross-site scripting flaws as a result of insufficient sanitization of user-supplied data. The flaw represents a classic case of stored XSS where malicious input is permanently saved and then executed in the context of other users' browsers.
The operational impact of this vulnerability is substantial as it provides authenticated attackers with the ability to execute arbitrary web scripts on behalf of other users. Contributors and above typically have sufficient privileges to modify content and widgets on WordPress sites, making this a particularly concerning issue for multi-user environments. When exploited, the malicious scripts could perform actions such as stealing user session cookies, redirecting users to malicious websites, defacing content, or even executing further attacks through the victim's browser context. The vulnerability creates a persistent threat vector that can affect any user who accesses pages containing the compromised widget, potentially leading to widespread compromise of the affected WordPress installation.
Mitigation strategies for this vulnerability should prioritize immediate patching of the Elementor Addons by Livemesh plugin to version 8.3.5 or later, which contains the necessary security fixes. Organizations should also implement additional security measures such as restricting contributor-level access to widget configuration interfaces where possible, implementing content security policies to limit script execution, and monitoring for suspicious widget modifications. From an ATT&CK framework perspective, this vulnerability aligns with techniques such as T1546.001 (Event Triggered Execution: Change Registry) and T1059.007 (Command and Scripting Interpreter: JavaScript) as attackers could potentially use this vector to establish persistent access or execute malicious code. Regular security audits of WordPress plugins and maintaining updated security monitoring tools are essential practices to prevent exploitation of similar vulnerabilities in the future.