CVE-2024-29911 in Master Addons for Elementor Plugininfo

Summary

by MITRE • 03/27/2024

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jewel Theme Master Addons for Elementor allows Stored XSS.This issue affects Master Addons for Elementor: from n/a through 2.0.5.4.1.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 04/12/2025

The vulnerability identified as CVE-2024-29911 represents a critical cross-site scripting weakness within the Jewel Theme Master Addons for Elementor plugin, specifically impacting versions ranging from an unspecified initial state through 2.0.5.4.1. This flaw resides in the improper neutralization of input during web page generation processes, creating a persistent security risk that enables attackers to execute malicious scripts within the context of affected user sessions. The vulnerability falls under the CWE-79 category, which specifically addresses cross-site scripting flaws in web applications, and aligns with ATT&CK technique T1190 for exploiting web application vulnerabilities through malicious script injection.

The technical implementation of this stored XSS vulnerability occurs when the plugin fails to adequately sanitize user-supplied input before incorporating it into dynamically generated web pages. When administrators or users interact with the plugin's interface, particularly when entering content into fields that support rich text or dynamic content generation, the malicious input is not properly escaped or filtered before being rendered in the browser. This allows attackers to inject malicious JavaScript code that persists in the plugin's database or configuration files, making the payload execute whenever legitimate users view pages generated by the affected plugin. The stored nature of this vulnerability means that the malicious code remains embedded in the system and executes automatically against any user who accesses the compromised content.

The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the ability to hijack user sessions, steal sensitive information, manipulate website content, or redirect users to malicious sites. In a WordPress environment utilizing Elementor page builder, this vulnerability could allow an attacker to gain unauthorized access to administrative functions, modify content, or establish persistent backdoors within the website infrastructure. The attack surface is particularly concerning given that Elementor is widely used for website creation and management, meaning that compromised sites could serve as launching points for broader attacks against visitors or as command and control nodes in larger cyber operations. The vulnerability's persistence across multiple versions suggests a fundamental flaw in the input handling mechanisms that requires immediate attention.

Mitigation strategies for CVE-2024-29911 should prioritize immediate plugin updates to versions that address the XSS vulnerability, as the vendor has likely released patches to resolve the input sanitization issues. Organizations should implement comprehensive input validation and output encoding measures across all user-facing fields within the Elementor environment, ensuring that any data entering the system undergoes proper sanitization before being stored or rendered. Network-level protections such as web application firewalls can provide additional defense-in-depth measures to detect and block suspicious script injection attempts. Security monitoring should include regular scanning for malicious code injection patterns and implementation of content security policies that restrict script execution from untrusted sources. System administrators should also consider implementing principle of least privilege access controls and regular security audits of plugin configurations to prevent unauthorized modifications that could exploit this vulnerability.

Responsible

Patchstack

Reservation

03/21/2024

Disclosure

03/27/2024

Moderation

accepted

CPE

ready

EPSS

0.00343

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!