CVE-2024-1996 in Premium Addons for Elementor Pro Plugininfo

Summary

by MITRE • 03/13/2024

The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's IHover widget link in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 04/12/2026

The vulnerability identified as CVE-2024-1996 affects the Premium Addons PRO plugin for WordPress, specifically targeting the IHover widget functionality within versions up to and including 2.9.12. This represents a critical security flaw that undermines the integrity of WordPress sites utilizing this plugin, creating potential entry points for malicious actors to execute harmful code within the context of user sessions. The vulnerability stems from inadequate input validation mechanisms and insufficient output escaping practices that fail to properly sanitize user-supplied attributes before they are processed and rendered within web pages. Security researchers have identified that this flaw enables authenticated attackers who possess contributor-level privileges or higher to exploit the system and inject malicious scripts that can persist across multiple user interactions.

The technical implementation of this stored cross-site scripting vulnerability occurs when user-supplied data is accepted through the IHover widget link functionality without proper sanitization measures. This flaw allows attackers to inject malicious JavaScript code into the plugin's attribute handling mechanism, which then gets stored within the WordPress database. When legitimate users access pages containing these maliciously injected attributes, the stored scripts execute in their browsers, creating a persistent threat that can affect multiple users over time. The vulnerability is particularly concerning because it requires only contributor-level permissions to exploit, which is a relatively low privilege level that many WordPress sites may not adequately monitor or restrict. This aligns with CWE-79 which defines cross-site scripting vulnerabilities as weaknesses that occur when untrusted data is sent to a web browser without proper validation or escaping.

The operational impact of CVE-2024-1996 extends beyond simple script execution, as it creates opportunities for attackers to perform session hijacking, data theft, and further escalation attacks within compromised WordPress environments. The stored nature of the vulnerability means that malicious scripts remain active until manually removed from the system, potentially allowing attackers to maintain persistent access to affected sites. This type of vulnerability can be leveraged to redirect users to malicious domains, steal cookies and session information, or even install additional malware on affected systems. Attackers can exploit this flaw to compromise not just individual user accounts but potentially entire WordPress installations, especially when combined with other vulnerabilities or when the compromised site serves as a stepping stone for broader attacks. The implications for organizations relying on WordPress for their digital presence are significant, as this vulnerability can lead to data breaches, reputational damage, and compliance violations.

Organizations affected by this vulnerability should immediately implement mitigation strategies to protect their WordPress installations from exploitation. The primary recommended action involves updating the Premium Addons PRO plugin to the latest version that addresses this specific vulnerability, as provided by the plugin vendor. System administrators should also consider implementing additional security measures including restricting user permissions to minimize the impact of potential compromise, deploying web application firewalls to detect and block malicious script injections, and conducting comprehensive security audits of all WordPress plugins and themes. The ATT&CK framework categorizes this type of vulnerability under T1548.003 for abuse of credentials and T1059.007 for command and scripting interpreter, highlighting the multi-stage nature of attacks that can emerge from such flaws. Regular monitoring of plugin updates, implementation of security headers, and maintaining detailed audit logs are essential practices that should be adopted to prevent exploitation of similar vulnerabilities in the future, as this vulnerability demonstrates the critical importance of proper input sanitization and output escaping in web application development.

Reservation

02/28/2024

Disclosure

03/13/2024

Moderation

accepted

CPE

ready

EPSS

0.00399

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!