CVE-2024-1841 in Visual Composer Plugininfo

Summary

by MITRE • 05/02/2024

The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Title tag attribute in all versions up to, and including, 7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 05/29/2025

The vulnerability identified as CVE-2024-1841 affects the wpbakery plugin for WordPress, representing a critical security flaw that enables stored cross-site scripting attacks. This vulnerability exists within all versions up to and including version 7.5 of the plugin, making it a widespread concern for WordPress installations that utilize this popular page builder tool. The flaw specifically targets the Post Title tag attribute, which is commonly used within the plugin's interface for content creation and management purposes.

The technical root cause of this vulnerability stems from inadequate input sanitization and insufficient output escaping mechanisms within the wpbakery plugin's codebase. When authenticated attackers with contributor-level access or higher submit malicious content through the Post Title tag attribute, the plugin fails to properly validate or sanitize the input before storing it in the database. This stored malicious content then executes whenever any user accesses the affected page, creating a persistent cross-site scripting vector that can affect multiple users over time.

From an operational perspective, this vulnerability poses significant risks to WordPress websites that rely on the wpbakery plugin for content management. The requirement for only contributor-level access or higher means that attackers can exploit this weakness even in environments with relatively strict user permission controls. The stored nature of the XSS attack allows threat actors to inject malicious scripts that can persist for extended periods, potentially capturing user credentials, session information, or redirecting users to malicious sites. This makes the vulnerability particularly dangerous in environments where multiple users regularly access the administration interface.

The impact of CVE-2024-1841 aligns with CWE-79, which specifically addresses cross-site scripting vulnerabilities in web applications. This classification indicates that the vulnerability represents a classic stored XSS flaw where malicious input is permanently stored and then executed in the context of other users' browsers. The ATT&CK framework categorizes this type of vulnerability under T1566, which covers credential access through social engineering and malicious code injection techniques. Organizations using this plugin should immediately implement mitigations including plugin updates, input validation measures, and monitoring for suspicious user activity. The vulnerability demonstrates the critical importance of proper input sanitization and output escaping practices in web application development, particularly for plugins that handle user-generated content in content management systems.

This vulnerability exemplifies the risks associated with insufficient security controls in popular WordPress plugins and highlights the necessity for regular security assessments of third-party components. The stored nature of the attack means that even users who do not directly interact with the malicious content can be affected, creating a broader attack surface than typical reflected XSS vulnerabilities. Organizations should conduct immediate vulnerability assessments of their WordPress installations and implement appropriate security controls to prevent exploitation of this and similar vulnerabilities in their web applications.

Responsible

Wordfence

Reservation

02/23/2024

Disclosure

05/02/2024

Moderation

accepted

CPE

ready

EPSS

0.00320

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!