CVE-2024-2137 in All-in-One Addons for Elementor Plugininfo

Summary

by MITRE • 04/12/2024

The All-in-One Addons for Elementor – WidgetKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple pricing widgets (e.g. Pricing Single, Pricing Icon, Pricing Tab) in all versions up to, and including, 2.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/06/2025

The vulnerability identified as CVE-2024-2137 affects the WidgetKit plugin for WordPress, specifically targeting versions up to and including 2.4.8. This plugin is widely used for creating various website elements including pricing widgets that are essential for business websites and e-commerce platforms. The flaw manifests in multiple pricing widgets such as Pricing Single, Pricing Icon, and Pricing Tab, which are commonly utilized by website administrators to display product pricing information. The vulnerability stems from inadequate input sanitization and output escaping mechanisms within these specific widget implementations, creating a persistent security weakness that can be exploited by authenticated attackers.

The technical nature of this vulnerability places it squarely within the CWE-79 category of Cross-Site Scripting, specifically classified as a stored XSS vulnerability. This means that malicious scripts can be permanently stored on the server and executed whenever legitimate users access affected pages. Attackers with contributor-level access or higher can leverage this weakness to inject malicious JavaScript code through the pricing widget interfaces. The vulnerability is particularly concerning because it operates at the administrative level where users have the ability to modify content, yet the system fails to properly validate or sanitize the input before storing it in the database. This allows attackers to create persistent backdoors or execute malicious code that can compromise user sessions and potentially escalate privileges.

From an operational impact perspective, this vulnerability creates significant risks for WordPress websites utilizing the WidgetKit plugin. The authenticated nature of the attack means that attackers do not need to compromise user credentials through external means such as phishing or brute force attacks. Instead, they can exploit their existing contributor privileges to inject malicious scripts that will execute for all users who view the affected pages. This includes not only regular visitors but also other administrators and contributors who may access the same pages. The stored nature of the vulnerability means that the malicious code persists even after the initial injection, making it particularly dangerous as it can be used to steal session cookies, redirect users to malicious sites, or perform other harmful activities. The impact extends beyond simple script execution as it can be used to establish persistent access to the website, potentially leading to complete compromise of the WordPress installation and the underlying server infrastructure.

Mitigation strategies for this vulnerability should focus on immediate patching of the WidgetKit plugin to version 2.4.9 or later, which contains the necessary security fixes. Organizations should also implement comprehensive input validation and output escaping mechanisms throughout their WordPress installations, particularly for user-generated content and administrative interfaces. The principle of least privilege should be enforced by limiting contributor-level access to only necessary functionality and regularly auditing user permissions. Security monitoring should be enhanced to detect unusual activity patterns that might indicate successful exploitation attempts. Additionally, organizations should consider implementing web application firewalls and content security policies to provide additional layers of protection against XSS attacks. This vulnerability demonstrates the critical importance of proper input sanitization and output escaping as outlined in the OWASP Top Ten and ATT&CK framework, specifically addressing techniques related to client-side code injection and privilege escalation through web application vulnerabilities.

Responsible

Wordfence

Reservation

03/02/2024

Disclosure

04/12/2024

Moderation

accepted

CPE

ready

EPSS

0.00320

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!