CVE-2024-2117 in Elementor Website Builder Plugininfo

Summary

by MITRE • 04/10/2024

The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Path Widget in all versions up to, and including, 3.20.2 due to insufficient output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 04/14/2026

The vulnerability identified as CVE-2024-2117 affects the Elementor Website Builder plugin for WordPress, specifically targeting the Path Widget functionality within versions up to and including 3.20.2. This represents a critical security flaw that exploits stored cross-site scripting mechanisms, allowing malicious actors with contributor-level privileges or higher to inject persistent malicious scripts into WordPress pages. The vulnerability stems from inadequate output escaping practices during the handling of user-supplied attributes, creating an attack vector that can compromise the integrity of web applications and potentially lead to unauthorized access or data exfiltration.

The technical implementation of this vulnerability involves the Path Widget component failing to properly sanitize and escape user input before rendering it within web pages. When authenticated users with contributor permissions or higher create or modify content using the Path Widget, they can inject malicious JavaScript code through attribute values that are subsequently stored in the WordPress database. This stored payload executes whenever any user accesses pages containing the injected content, making it a persistent threat that can affect multiple users over time. The vulnerability specifically manifests in the plugin's handling of user-supplied attributes without adequate sanitization, creating a direct path for malicious code execution through the web application's interface.

From an operational perspective, this vulnerability presents significant risks to WordPress installations using the affected Elementor plugin versions. The requirement for only contributor-level permissions means that relatively low-privilege users can potentially compromise the entire site's security posture, making it particularly dangerous in multi-user environments where contributors may have access to content management features. Attackers can leverage this vulnerability to perform various malicious activities including session hijacking, data theft, redirecting users to malicious sites, or even establishing persistent backdoors within the WordPress installation. The stored nature of the XSS vulnerability ensures that the malicious payload remains active until manually removed, providing attackers with extended periods of access and potential impact.

Organizations and WordPress administrators should immediately update their Elementor plugin installations to versions beyond 3.20.2 to remediate this vulnerability. The mitigation strategy should include comprehensive security auditing of all user accounts with contributor-level permissions or higher, as these users represent the primary attack surface for this exploit. Additionally, implementing proper input validation and output escaping mechanisms within WordPress plugins serves as a preventive measure against similar vulnerabilities. This issue aligns with CWE-79, which specifically addresses cross-site scripting vulnerabilities resulting from insufficient output escaping, and represents a clear violation of secure coding practices outlined in the OWASP Top Ten. The ATT&CK framework categorizes this vulnerability under T1059.007 for scripting languages and T1566 for social engineering techniques, as attackers can use the stored XSS to manipulate user behavior and extract sensitive information from authenticated sessions. Regular security assessments and prompt patch management remain essential defensive measures against such persistent threats in the WordPress ecosystem.

Responsible

Wordfence

Reservation

03/01/2024

Disclosure

04/10/2024

Moderation

accepted

CPE

ready

EPSS

0.00462

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!