CVE-2024-2139 in Master Addons for Elementor Plugininfo

Summary

by MITRE • 03/27/2024

The Master Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Pricing Table widget in all versions up to, and including, 2.0.5.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 04/13/2026

The vulnerability identified as CVE-2024-2139 affects the Master Addons for Elementor WordPress plugin, specifically targeting the Pricing Table widget functionality. This represents a critical security flaw that enables persistent cross-site scripting attacks through improper input validation and output sanitization mechanisms. The vulnerability exists in all plugin versions up to and including 2.0.5.6, making it a widespread concern for WordPress installations utilizing this popular page builder extension. The security flaw stems from inadequate sanitization of user inputs and insufficient escaping of output data, creating an environment where malicious scripts can be permanently stored within the plugin's data structures.

The technical exploitation of this vulnerability requires an authenticated attacker possessing at least contributor-level privileges within the WordPress environment. This access level allows the malicious actor to create or modify content through the Elementor editor interface, where the Pricing Table widget resides. Once the attacker injects malicious JavaScript code through the widget's input fields, the script becomes permanently stored within the WordPress database. When other users subsequently access pages containing the affected widget, the stored script executes in their browsers, potentially leading to session hijacking, data theft, or further exploitation of the compromised systems. This stored nature of the vulnerability distinguishes it from reflected XSS attacks and makes it particularly dangerous as the malicious code persists across multiple user sessions and page views.

The operational impact of CVE-2024-2139 extends beyond simple script execution, potentially enabling sophisticated attack vectors that align with multiple tactics described in the attack framework. The vulnerability can be categorized under CWE-79 as a Cross-Site Scripting flaw, specifically manifesting as a stored XSS vulnerability. This classification indicates that the malicious input is stored on the server and then served to other users without proper sanitization. The attack chain typically involves the attacker leveraging their contributor privileges to inject malicious code, which then executes when other users access pages containing the compromised widget. The implications include potential data exfiltration, cookie theft, and privilege escalation within the compromised WordPress environment, particularly when attackers can access administrative functions through session hijacking or other browser-based exploits.

Organizations affected by this vulnerability should implement immediate mitigation strategies to protect their WordPress installations. The primary recommendation involves updating the Master Addons for Elementor plugin to the latest available version that contains patches for the XSS vulnerability. System administrators should also consider implementing additional security measures such as role-based access controls to limit contributor-level privileges to only trusted users. Input validation should be strengthened through the implementation of proper sanitization routines and output escaping mechanisms within the plugin's codebase. Security monitoring should include regular scanning for malicious scripts within the WordPress database and content management system, particularly focusing on the pricing table widget functionality. The vulnerability also highlights the importance of adhering to security best practices outlined in the OWASP Top Ten, specifically addressing the risks associated with insecure data handling and insufficient input validation in web applications.

Responsible

Wordfence

Reservation

03/02/2024

Disclosure

03/27/2024

Moderation

accepted

CPE

ready

EPSS

0.00340

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!