CVE-2024-2286 in Sky Addons for Elementor Plugininfo

Summary

by MITRE • 03/13/2024

The Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wrapper link URL value in all versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 04/16/2025

The Sky Addons for Elementor plugin represents a popular suite of free templates and advanced elements designed to enhance WordPress website functionality through the Elementor page builder. This plugin ecosystem includes various components such as live copy functionality, animations, post grids, carousels, particles effects, sliders, and chart displays. The vulnerability exists within the wrapper link URL value handling mechanism across all plugin versions up to and including 2.4.0, creating a critical security exposure that affects WordPress environments utilizing this addon suite. The plugin's widespread adoption in the WordPress ecosystem means that this vulnerability could potentially impact numerous websites relying on Elementor for their content management and design capabilities.

The technical flaw manifests through inadequate input sanitization and insufficient output escaping mechanisms when processing user-supplied attributes, specifically targeting the wrapper link URL value parameter. This vulnerability classifies as a stored cross-site scripting attack because malicious scripts are permanently stored on the server and executed whenever affected pages are accessed by unsuspecting users. The flaw occurs during the processing of user input where the plugin fails to properly validate or sanitize the URL value before storing it in the database, and subsequently fails to adequately escape the output when rendering the stored value in web pages. This dual failure in input validation and output sanitization creates an exploitable condition that allows attackers to inject malicious JavaScript code through legitimate plugin functionality.

The operational impact of this vulnerability is particularly severe given that authenticated attackers with contributor-level permissions or higher can exploit it, which represents a relatively low barrier to entry for malicious actors. Contributors in WordPress typically have the ability to create and edit posts, pages, and media files, making this attack vector particularly dangerous as it can be leveraged by users who should normally have limited privileges. When an authenticated attacker injects malicious scripts through the wrapper link URL field, these scripts execute in the context of other users' browsers who visit pages containing the injected content. This creates a persistent threat that can be used to steal session cookies, perform unauthorized actions on behalf of users, redirect visitors to malicious sites, or even establish backdoors within the compromised website environment. The stored nature of the vulnerability means that the malicious code remains active until manually removed from the database, creating an ongoing risk for all website visitors.

This vulnerability aligns with CWE-79 (Cross-site Scripting) and follows ATT&CK techniques related to client-side exploitation and privilege escalation. The weakness demonstrates characteristics consistent with CWE-20 (Improper Input Validation) and CWE-116 (Improper Encoding or Escaping) as the root causes of the security flaw. The attack surface is particularly concerning because it leverages legitimate plugin functionality rather than requiring complex exploitation techniques, making it more accessible to attackers with basic knowledge of web application vulnerabilities. Organizations using this plugin should immediately consider implementing network-based mitigations such as web application firewalls that can detect and block suspicious script injection patterns, while also planning for immediate patching once available. The vulnerability's classification as a stored XSS attack requires comprehensive monitoring of user-generated content and database entries for malicious script injection attempts, as well as regular security audits of plugin configurations and user permissions to prevent unauthorized access to contributor-level accounts.

The exploitation of this vulnerability could lead to significant security breaches including session hijacking, data exfiltration, and unauthorized modifications to website content. The persistent nature of stored XSS means that even if administrators discover and remove the malicious code, the attack can continue to affect users until all instances of the injected script are completely eliminated from the database. This makes the vulnerability particularly dangerous in multi-user environments where contributor accounts may be compromised or where users have access to the plugin's configuration interfaces. Security professionals should implement comprehensive monitoring solutions that can detect anomalous user behavior patterns and suspicious content modifications, while also ensuring that all users with contributor-level permissions or higher undergo regular security training to prevent social engineering attacks that could lead to account compromise.

Responsible

Wordfence

Reservation

03/07/2024

Disclosure

03/13/2024

Moderation

accepted

CPE

ready

EPSS

0.00423

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!