CVE-2024-1840 in Visual Composer Plugin
Summary
by MITRE • 05/02/2024
The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Author tag attribute in all versions up to, and including, 7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/29/2025
The vulnerability identified as CVE-2024-1840 affects the wpbakery plugin for WordPress, specifically targeting versions up to and including 7.5. This represents a critical security flaw that undermines the integrity of content management systems relying on this popular page builder plugin. The vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's implementation of the Post Author tag attribute, creating a persistent security risk that can be exploited by malicious actors with relatively low privileges.
The technical flaw manifests through a stored cross-site scripting vulnerability that allows authenticated attackers with contributor-level access or higher to inject malicious scripts into WordPress posts. This vulnerability operates by failing to properly sanitize user input when processing the Post Author tag attribute, which then gets stored in the database and executed whenever affected pages are accessed by other users. The stored nature of this XSS vulnerability means that the malicious payload persists even after the initial injection, making it particularly dangerous as it can affect multiple users over extended periods. This weakness directly aligns with CWE-79, which describes cross-site scripting vulnerabilities resulting from insufficient input sanitization and output escaping.
The operational impact of CVE-2024-1840 extends beyond simple script execution, as it provides attackers with a persistent foothold within WordPress environments. Once exploited, the vulnerability enables attackers to perform various malicious activities including stealing user sessions, redirecting visitors to phishing sites, defacing content, or even escalating privileges within the WordPress installation. The requirement for only contributor-level access makes this vulnerability particularly concerning as it can be exploited by users who should normally have limited permissions within the content management system. This access level typically includes users who can create and edit posts, making the attack vector more accessible than vulnerabilities requiring administrator privileges.
From a threat modeling perspective, this vulnerability fits within the ATT&CK framework under the T1566 technique for "Phishing" and T1059 for "Command and Scripting Interpreter" as attackers can leverage the stored XSS to deliver malicious payloads to unsuspecting users. The vulnerability's exploitation requires minimal technical expertise and can be automated, making it attractive to threat actors seeking to compromise WordPress installations at scale. Organizations using the wpbakery plugin in their WordPress environments face significant risk of data theft, reputation damage, and potential complete compromise of their content management systems.
Mitigation strategies for CVE-2024-1840 should prioritize immediate patching of the wpbakery plugin to version 7.6 or later, which contains the necessary security fixes. System administrators should also implement additional security measures including regular monitoring of user activities, implementing web application firewalls, and conducting thorough security audits of WordPress installations. Organizations should consider restricting contributor-level permissions where possible and implementing role-based access controls to limit the potential impact of compromised accounts. The vulnerability highlights the importance of regular security updates and the need for comprehensive input validation and output escaping mechanisms in all web applications, particularly content management systems that handle user-generated content.