CVE-2024-2399 in Premium Addons for Elementor Pro Plugin
Summary
by MITRE • 03/15/2024
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 4.10.23 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable with the premium version of the plugin is also installed.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/13/2026
The vulnerability identified as CVE-2024-2399 affects the Premium Addons for Elementor WordPress plugin, representing a critical stored cross-site scripting weakness that has significant implications for website security. This flaw exists within the plugin's widget functionality and impacts all versions up to and including 4.10.23, making it a widespread concern for WordPress administrators who rely on this popular plugin for enhancing their website capabilities. The vulnerability specifically targets the premium version of the plugin, indicating that organizations using the paid features are particularly at risk, while the free version may remain unaffected.
The technical root cause of this vulnerability stems from inadequate input sanitization and insufficient output escaping mechanisms within the plugin's codebase. When authenticated attackers with contributor-level permissions or higher interact with the plugin's widgets, they can inject malicious scripts that get stored within the website's database. These stored scripts become persistent elements that execute automatically whenever any user accesses pages containing the injected content, creating a classic stored XSS attack vector. The vulnerability demonstrates poor security practices in data handling, where user-supplied attributes are not properly validated or escaped before being rendered in web pages.
The operational impact of this vulnerability is substantial, as it allows attackers to compromise user sessions and potentially escalate privileges within the compromised WordPress environment. Since the attack requires only contributor-level permissions, it can be exploited by users who have relatively low access rights, making it particularly dangerous for websites with multiple contributors or users with varying permission levels. The stored nature of the vulnerability means that once injected, malicious scripts persist indefinitely until manually removed, providing attackers with sustained access to target websites. This vulnerability directly aligns with CWE-79, which describes cross-site scripting flaws, and can be mapped to ATT&CK technique T1548.003 for abuse of credentials and privilege escalation.
Mitigation strategies for this vulnerability should focus on immediate remediation through plugin updates to versions that address the XSS flaw, while also implementing additional security measures. Organizations should ensure that all users with contributor-level permissions or higher are properly vetted and monitored, as these roles can exploit this vulnerability. Network-level protections such as web application firewalls can provide additional defense-in-depth, though they are not a substitute for proper patching. Regular security audits of installed plugins and themes should be conducted to identify similar vulnerabilities, and administrators should maintain updated security practices including role-based access controls and regular security assessments. The vulnerability highlights the importance of proper input validation and output escaping in web applications, particularly in plugins that handle user-generated content.