CVE-2024-2618 in Elementor Header & Footer Builder Plugininfo

Summary

by MITRE • 05/24/2024

The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the size attribute in all versions up to, and including, 1.6.26 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 03/28/2025

The vulnerability identified as CVE-2024-2618 affects the Elementor Header & Footer Builder plugin for WordPress, specifically targeting versions up to and including 1.6.26. This represents a critical security flaw that undermines the integrity of WordPress sites utilizing this popular page builder extension. The vulnerability manifests through a stored cross-site scripting attack vector that exploits insufficient input sanitization and output escaping mechanisms within the plugin's handling of the size attribute. Attackers leveraging this weakness can execute malicious scripts in the context of the victim's browser, potentially leading to unauthorized access to sensitive data or complete compromise of user sessions.

The technical flaw resides in the plugin's failure to properly sanitize user input when processing the size attribute parameter. This weakness allows authenticated attackers with contributor-level privileges or higher to inject malicious code that gets stored within the WordPress database. When other users access pages containing the injected content, the stored scripts execute automatically in their browsers, creating a persistent threat that can affect multiple users over time. The vulnerability specifically targets the size attribute, which is commonly used in element configuration within the Elementor interface, making it a particularly insidious attack vector that can be exploited through normal content creation workflows.

The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to perform various malicious activities including credential theft, session hijacking, and data exfiltration. Since the attack requires only contributor-level access, it represents a significant risk for WordPress sites where multiple users have editing privileges. The stored nature of the XSS vulnerability means that the malicious scripts remain active even after the initial injection, continuously affecting users who access affected pages. This persistent threat can be exploited to establish backdoors, redirect users to malicious sites, or harvest sensitive information from authenticated users, making it particularly dangerous for business-critical WordPress installations.

Organizations should immediately update to the latest version of the Elementor Header & Footer Builder plugin to remediate this vulnerability, as no official patches were available for versions prior to the fix release. System administrators should also implement additional monitoring to detect unusual content modifications and establish regular security audits of plugin installations. The vulnerability aligns with CWE-79 which categorizes cross-site scripting flaws, and follows ATT&CK technique T1566.001 for initial access through spearphishing attachments, though in this case the attack vector is more subtle and leverages legitimate plugin functionality. Security teams should consider implementing Content Security Policy headers and regular penetration testing to identify similar vulnerabilities in other WordPress plugins and themes that may not have been properly sanitized against XSS attacks.

Reservation

03/18/2024

Disclosure

05/24/2024

Moderation

accepted

CPE

ready

EPSS

0.00322

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!