CVE-2024-29936 in Image Hover Effects Plugin
Summary
by MITRE • 03/27/2024
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Blocksera Image Hover Effects – Elementor Addon allows Stored XSS.This issue affects Image Hover Effects – Elementor Addon: from n/a through 1.4.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/12/2025
The CVE-2024-29936 vulnerability represents a critical cross-site scripting flaw within the Blocksera Image Hover Effects Elementor addon, specifically targeting versions prior to 1.4. This vulnerability falls under the CWE-79 category of Cross-Site Scripting, where improper input sanitization during web page generation creates persistent security risks for websites utilizing this Elementor extension. The flaw enables attackers to inject malicious scripts that persist in the application's database, making it a stored XSS vulnerability rather than a reflected one. The vulnerability manifests when users interact with the addon's functionality, particularly during image hover effect configurations, where user-supplied input fails to undergo proper validation and sanitization before being rendered in web pages. This creates an attack surface where malicious actors can exploit the weakness to execute arbitrary JavaScript code in the context of affected websites, potentially compromising user sessions and accessing sensitive data.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform session hijacking, deface websites, steal user credentials, or redirect victims to malicious domains. When exploited, the stored XSS vulnerability allows threat actors to inject malicious payloads that persist across multiple user sessions, making the attack particularly dangerous for websites with multiple administrators or users who interact with the affected addon. The vulnerability's persistence means that once injected, malicious scripts will execute whenever affected pages are loaded, potentially affecting all visitors to the compromised website. This makes the flaw especially concerning for content management systems where multiple users have administrative access, as attackers could gain elevated privileges or manipulate website content. The exploitation requires minimal user interaction beyond visiting a page containing the malicious payload, making it a significant threat vector for websites using the Elementor platform with the vulnerable addon installed.
Mitigation strategies for CVE-2024-29936 should prioritize immediate patching of the affected Elementor addon to version 1.4 or later, which contains the necessary security fixes. Organizations should implement comprehensive input validation and output encoding mechanisms to prevent similar vulnerabilities in custom implementations, following the principle of least privilege for addon installations and regular security audits of third-party plugins. Security teams should monitor for any signs of exploitation through web application firewalls and intrusion detection systems, while also implementing Content Security Policy headers to limit script execution. The vulnerability aligns with ATT&CK technique T1566.001 for Initial Access through Spearphishing Attachments and T1059.007 for Command and Scripting Interpreter through JavaScript, emphasizing the need for layered defensive measures. Regular security assessments of Elementor themes and plugins should be conducted to identify potential XSS vulnerabilities, and developers should adopt secure coding practices that include proper sanitization of user inputs and implementation of proper output encoding for web content generation. Organizations should also consider implementing automated vulnerability scanning tools that can detect similar flaws in web applications and maintain up-to-date threat intelligence to identify potential exploitation attempts.