CVE-2024-2787 in Happy Addons for Elementor Plugin
Summary
by MITRE • 04/10/2024
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Page Title HTML Tag in all versions up to, and including, 3.10.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/08/2025
The vulnerability identified as CVE-2024-2787 affects the Happy Addons for Elementor WordPress plugin, specifically impacting versions up to and including 3.10.4. This represents a critical security flaw that undermines the integrity of WordPress sites utilizing this popular page builder extension. The vulnerability stems from inadequate input validation and output escaping mechanisms within the plugin's handling of user-supplied data, creating a pathway for malicious actors to exploit the system through stored cross-site scripting techniques.
The technical flaw manifests in the plugin's processing of the Page Title HTML Tag functionality, where user-provided attributes fail to undergo proper sanitization before being stored and subsequently executed. This vulnerability operates under CWE-79 which categorizes cross-site scripting flaws as weaknesses in input validation and output escaping. Attackers with contributor-level access or higher can leverage this vulnerability to inject malicious scripts that persist within the application's database, making the threat persistent and potentially widespread. The stored nature of this XSS vulnerability means that the injected scripts will execute whenever any user accesses a page containing the malicious payload, regardless of their privilege level.
The operational impact of this vulnerability extends beyond simple script injection, as it creates a persistent backdoor for attackers to execute arbitrary code within the context of the victim's browser. This can lead to session hijacking, credential theft, defacement of content, and potentially full system compromise if attackers can leverage the privilege escalation capabilities. The vulnerability affects all users who access pages containing the malicious content, making it particularly dangerous for sites with high traffic or multiple user roles. The attack vector is particularly concerning because it requires minimal privileges to exploit, as contributor-level access is sufficient to execute the malicious injection.
Mitigation strategies should focus on immediate plugin updates to versions that address the sanitization and escaping issues, with administrators monitoring for any suspicious activity in user-generated content. The recommended approach aligns with ATT&CK technique T1548.003 which emphasizes privilege escalation through malicious content injection. Organizations should implement comprehensive input validation at multiple layers, including server-side sanitization of all user inputs and proper output escaping before rendering content. Additionally, role-based access controls should be reviewed to minimize the attack surface, as the vulnerability's exploitation requires only contributor-level privileges. Security monitoring should include regular scanning for injected scripts and implementation of content security policies to prevent execution of unauthorized scripts.