CVE-2024-3074 in Elementor ImageBox Plugin
Summary
by MITRE • 05/02/2024
The Elementor ImageBox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image box widget in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/27/2026
The Elementor ImageBox plugin for WordPress presents a critical stored cross-site scripting vulnerability that affects all versions up to and including 1.2.8. This security flaw resides within the image box widget functionality and represents a significant risk to WordPress sites relying on this popular page builder extension. The vulnerability stems from inadequate input sanitization and output escaping mechanisms that fail to properly validate or escape user-supplied attributes before they are stored and subsequently rendered in web pages.
The technical nature of this vulnerability allows authenticated attackers who possess contributor-level access or higher to inject malicious scripts into the plugin's image box widget parameters. When these malicious inputs are saved and later displayed on pages containing the affected widget, the injected scripts execute within the context of other users' browsers who visit those pages. This creates a persistent XSS attack vector where the malicious code remains stored in the website's database until manually removed, making it particularly dangerous for content management systems where multiple users have varying levels of administrative access.
The operational impact of this vulnerability extends beyond simple script execution as it can enable attackers to perform various malicious activities including session hijacking, credential theft, defacement of web pages, and redirection to phishing sites. Since contributors typically have the ability to create and edit posts and pages, an attacker with such privileges can compromise not only their own account but potentially affect all users who view affected pages. The vulnerability affects all users who access pages containing the compromised image box widget, regardless of whether they are logged in or not, making it a broad-spectrum threat to website security.
From a cybersecurity perspective, this vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws in web applications and represents a classic case of insufficient output escaping. The ATT&CK framework categorizes this as a technique for code injection within the context of web application attacks, where the adversary leverages legitimate application functionality to execute malicious code. Organizations using Elementor plugins should immediately implement mitigations including updating to patched versions, implementing proper input validation at multiple layers, and conducting thorough security audits of all user-accessible attributes within page builder components.
The vulnerability demonstrates the critical importance of proper sanitization practices in web development, particularly when handling user inputs that will be rendered in HTML contexts. The flaw highlights the necessity of comprehensive security testing including both input validation and output escaping mechanisms to prevent attackers from exploiting legitimate application features for malicious purposes. Regular security updates and proactive monitoring of plugin vulnerabilities remain essential defensive measures against such persistent threats in WordPress environments where multiple users can modify content and potentially introduce security risks through seemingly benign functionality.