CVE-2024-2785 in Plus Addons for Elementor Plugin
Summary
by MITRE • 05/14/2024
The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Age Gate widget in all versions up to, and including, 5.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/01/2025
The vulnerability identified as CVE-2024-2785 affects the Plus Addons for Elementor plugin, a popular WordPress extension that enhances the functionality of the Elementor page builder. This particular flaw exists within the Age Gate widget component and impacts all versions up to and including 5.4.2, representing a significant security risk for WordPress sites that utilize this plugin. The vulnerability stems from inadequate input sanitization and output escaping mechanisms that fail to properly validate or sanitize user-supplied attributes before processing them within the plugin's codebase.
The technical nature of this vulnerability classifies it as a stored cross-site scripting flaw, which means that malicious scripts can be permanently stored on the server and subsequently executed whenever users access affected pages. Attackers with contributor-level privileges or higher can exploit this weakness by injecting malicious code through the Age Gate widget interface, which then gets stored in the database and executed whenever the page is rendered. This type of vulnerability allows for persistent malicious code execution that can affect multiple users who access the compromised pages, making it particularly dangerous for sites with multiple contributors or users with elevated privileges.
From an operational perspective, this vulnerability creates a substantial risk for WordPress administrators and site owners who may not immediately detect the malicious injection. The stored nature of the XSS attack means that even if the initial injection is discovered and removed, the malicious code continues to execute for any user who accesses the affected pages. The impact extends beyond simple script execution as attackers could potentially steal session cookies, perform unauthorized actions on behalf of users, or redirect victims to malicious websites. This vulnerability directly violates security principles outlined in the OWASP Top Ten and aligns with CWE-79 which specifically addresses cross-site scripting vulnerabilities.
The exploitation of this vulnerability requires minimal privileges, as attackers only need contributor-level access or higher, which is often granted to trusted users in WordPress environments. This makes the attack surface particularly broad since many WordPress sites have multiple contributors who may not require the highest level of security clearance. The vulnerability also demonstrates poor input validation practices that should be addressed through proper sanitization and escaping mechanisms. Organizations should implement the principle of least privilege and ensure that only users requiring administrative capabilities have contributor-level access to prevent unauthorized exploitation.
Mitigation strategies should include immediate patching of the plugin to version 5.4.3 or later, which addresses the input sanitization and output escaping deficiencies. Security teams should also conduct thorough audits of all user accounts with contributor-level access or higher to identify potential compromise. Network monitoring and web application firewalls can help detect and prevent exploitation attempts, while regular security assessments should be performed to identify similar vulnerabilities in other plugins and themes. The ATT&CK framework categorizes this vulnerability under the T1059.001 technique for command and scripting interpreter, as it enables attackers to execute malicious scripts through the web interface. Additionally, organizations should implement proper content security policies and regularly update their WordPress core, themes, and plugins to maintain a secure environment and reduce the attack surface.