CVE-2024-2121 in Elementor Website Builder Pro Plugin
Summary
by MITRE • 03/27/2024
The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Media Carousel widget in all versions up to, and including, 3.20.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/13/2025
The vulnerability identified as CVE-2024-2121 affects the Elementor Website Builder Pro plugin for WordPress, specifically targeting the Media Carousel widget functionality. This represents a critical security flaw that enables attackers to execute malicious code through persistent cross-site scripting techniques. The vulnerability exists in all plugin versions up to and including 3.20.1, making it a widespread concern for WordPress sites utilizing this popular page builder tool. The flaw stems from inadequate input sanitization and insufficient output escaping mechanisms that fail to properly validate and sanitize user-supplied data before processing and rendering within the widget's attributes.
The technical implementation of this vulnerability allows authenticated attackers who possess contributor-level permissions or higher to inject malicious scripts into the Media Carousel widget configuration. When users subsequently access pages containing these malicious payloads, the injected scripts execute in the context of the victim's browser session. This stored XSS vulnerability operates by bypassing WordPress's built-in security measures that typically protect against such attacks, specifically targeting the plugin's handling of user input within the Media Carousel widget's attribute processing pipeline. The vulnerability is classified under CWE-79 as a Cross-Site Scripting flaw, which falls under the broader category of web application security weaknesses that enable attackers to inject client-side scripts into web pages viewed by other users.
The operational impact of this vulnerability extends beyond simple script execution, as it creates potential pathways for more sophisticated attacks including session hijacking, credential theft, and data exfiltration. Attackers can leverage the compromised Media Carousel widget to inject malicious JavaScript that can capture user interactions, steal cookies, redirect users to malicious sites, or even attempt to escalate privileges within the WordPress environment. This vulnerability particularly affects WordPress sites where contributors or higher-level users have access to the Elementor editor interface, which is common in multi-user environments where content creators and editors require page building capabilities. The attack vector is particularly concerning because it requires minimal privileges to exploit, making it accessible to users who should normally have limited administrative capabilities.
Mitigation strategies for CVE-2024-2121 should prioritize immediate plugin updates to versions that address the input sanitization and output escaping deficiencies. System administrators should implement strict user permission controls to limit access to the Elementor editor interface, particularly restricting contributor-level access to widgets that handle user input. The implementation of Content Security Policy headers can provide additional defense-in-depth measures to prevent execution of unauthorized scripts. Security monitoring should include regular checks for suspicious widget configurations and unexpected script injections within WordPress pages. Organizations should also consider implementing web application firewalls that can detect and block known XSS attack patterns targeting the Elementor plugin. This vulnerability aligns with ATT&CK technique T1566.001 for credential access through social engineering and T1059.001 for command and scripting interpreter usage, making it a critical concern for organizations following the MITRE ATT&CK framework for threat modeling and defense planning.