CVE-2024-2028 in Exclusive Addons for Elementor Plugin
Summary
by MITRE • 03/13/2024
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Covid-19 Stats Widget in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/18/2025
The CVE-2024-2028 vulnerability affects the Exclusive Addons for Elementor WordPress plugin, specifically targeting the Covid-19 Stats Widget component. This represents a critical security flaw that enables stored cross-site scripting attacks, where malicious code can be persistently injected into the plugin's functionality. The vulnerability exists in all versions up to and including 2.6.9, making it a widespread concern for WordPress sites utilizing this plugin. The flaw stems from inadequate input sanitization and insufficient output escaping mechanisms within the widget's implementation, creating a persistent security gap that can be exploited by authenticated users.
The technical exploitation of this vulnerability occurs when authenticated attackers with contributor-level permissions or higher inject malicious scripts through the Covid-19 Stats Widget interface. These scripts are then stored within the plugin's data structures and executed whenever any user accesses pages containing the compromised widget. The vulnerability classification aligns with CWE-79, which describes improper neutralization of input during web page generation, specifically addressing stored cross-site scripting conditions. This allows attackers to execute malicious code in the context of the victim's browser, potentially enabling session hijacking, data theft, or further compromise of the affected WordPress installation.
The operational impact of CVE-2024-2028 extends beyond simple script execution, as it provides attackers with persistent access to compromised sites. Since the vulnerability requires only contributor-level privileges, it represents a significant risk for WordPress installations where multiple users have editing capabilities. The stored nature of the vulnerability means that once injected, malicious scripts remain active until manually removed, creating ongoing exposure for all users who view affected pages. This vulnerability directly maps to attack techniques described in the MITRE ATT&CK framework under T1546.001 for "Application Shimming" and T1059.001 for "Command and Scripting Interpreter", as it enables persistent code execution through legitimate plugin interfaces.
Organizations affected by this vulnerability should immediately update to the latest version of the Exclusive Addons for Elementor plugin where the XSS flaw has been patched. System administrators should conduct thorough audits of all WordPress installations using this plugin to identify and remove any malicious scripts that may have already been injected. Additionally, implementing proper input validation and output escaping measures at the application level can help prevent similar vulnerabilities in the future. Security monitoring should include checking for unauthorized modifications to plugin components and implementing web application firewalls to detect and block suspicious script injection attempts. The vulnerability highlights the importance of proper security practices in plugin development, particularly around user input handling and privilege escalation controls.