CVE-2024-2131 in Move Addons for Elementor Plugin
Summary
by MITRE • 03/23/2024
The Move Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's infobox and button widget in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-29920 may be a duplicate of this issue.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/13/2026
The vulnerability identified as CVE-2024-2131 affects the Move Addons for Elementor plugin, a popular WordPress plugin that extends the functionality of the Elementor page builder. This particular flaw exists in versions up to and including 1.2.9, representing a significant security risk for WordPress sites that utilize this plugin. The vulnerability stems from inadequate input validation and output sanitization mechanisms within the plugin's infobox and button widgets, which are commonly used components in WordPress page construction. The flaw specifically targets user-supplied attributes that are processed through these widgets, creating an environment where malicious code can be persistently stored and executed.
The technical nature of this vulnerability classifies it as a stored cross-site scripting vulnerability, which operates through the manipulation of user input that gets stored on the server and subsequently executed when other users access the affected pages. This type of vulnerability is particularly dangerous because the malicious scripts are not transient but remain embedded within the website's content until manually removed. The vulnerability is accessible to authenticated attackers who possess contributor-level permissions or higher, which represents a relatively low barrier to exploitation since many WordPress sites have users with these permissions levels. The attack vector involves an attacker creating or modifying content through the plugin's widgets, where the malicious code gets stored in the database and executed whenever legitimate users access the affected pages.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform a wide range of malicious activities including session hijacking, credential theft, defacement of content, and redirection to malicious websites. The stored nature of the XSS vulnerability means that the attack can persist long after the initial compromise, potentially affecting all users who view the compromised pages without any additional interaction required from the victim. This persistent threat makes the vulnerability particularly concerning for websites that host sensitive content or have numerous contributors with varying permission levels. The vulnerability affects the core functionality of the Elementor plugin ecosystem, potentially compromising the integrity and security of entire WordPress installations that rely on this plugin for their page building capabilities.
Mitigation strategies should focus on immediate remediation through plugin updates to versions that address the input sanitization and output escaping deficiencies. Organizations should implement strict access controls and permission management to limit contributor-level access to only trusted individuals. Additionally, regular security audits and monitoring of user-generated content should be conducted to identify potential malicious injections. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and it maps to ATT&CK technique T1566 which covers spearphishing with a malicious attachment. Implementing Content Security Policy headers can provide additional defense-in-depth measures, while regular backups ensure rapid recovery in case of successful exploitation. Organizations should also consider implementing web application firewalls and monitoring systems that can detect and block suspicious script injections in real-time.