CVE-2024-3190 in Unlimited Elements for Elementor Plugin
Summary
by MITRE • 05/30/2024
The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's text field widget in all versions up to, and including, 1.5.107 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Please note that this vulnerability is different in that the issue stems from an external template. It appears that older version may also be patched due to this, however, we are choosing 1.5.108 as the patched version since that is the most recent version containing as known patch.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/27/2025
The vulnerability identified as CVE-2024-3190 affects the Unlimited Elements For Elementor WordPress plugin, specifically targeting versions up to and including 1.5.107. This plugin serves as a free widgets, addons, and templates solution for WordPress users leveraging the Elementor page builder framework. The security flaw manifests as a stored cross-site scripting vulnerability within the plugin's text field widget functionality, representing a significant concern for WordPress site administrators who rely on this popular plugin for their website customization needs.
The technical root cause of this vulnerability stems from inadequate input sanitization and insufficient output escaping mechanisms within the plugin's codebase. When authenticated attackers with contributor-level access or higher submit malicious content through the text field widget, the plugin fails to properly validate or sanitize the user-supplied attributes before storing them in the database. This stored malicious content then executes whenever any user accesses a page containing the injected script, creating a persistent threat vector that can affect any visitor to the compromised website. The vulnerability is classified under CWE-79 as a cross-site scripting flaw, specifically manifesting as stored XSS due to the persistent nature of the malicious code storage.
The operational impact of this vulnerability extends beyond typical XSS scenarios, as it provides attackers with elevated privileges to compromise entire WordPress installations. Contributors and above have the ability to inject scripts that can steal session cookies, redirect users to malicious sites, or even execute administrative commands if the attacker can escalate privileges further. The fact that this vulnerability originates from an external template component adds complexity to the threat landscape, as it suggests that attackers may leverage template-based injection vectors that are not immediately obvious to standard security scanning tools. This makes the vulnerability particularly dangerous because it can remain undetected for extended periods while silently compromising user sessions and potentially leading to full site compromise.
The patched version 1.5.108 addresses this vulnerability through proper input sanitization routines and enhanced output escaping mechanisms that prevent malicious scripts from being stored or executed. Security professionals should prioritize immediate patching of affected installations, as the vulnerability affects users with relatively low privilege levels within WordPress. Organizations implementing the Elementor plugin ecosystem should conduct comprehensive security audits of their plugin installations and consider implementing additional monitoring for suspicious template modifications. The ATT&CK framework categorizes this vulnerability under T1546.001 for Windows and T1546.004 for Linux systems, representing privilege escalation through the exploitation of web application vulnerabilities. Given the widespread adoption of Elementor and its associated plugins, this vulnerability represents a significant risk to the broader WordPress ecosystem and requires immediate attention from security teams across affected organizations.