CVE-2024-3199 in Plus Addons for Elementor Plugin
Summary
by MITRE • 05/02/2024
The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the countdown widget in all versions up to, and including, 5.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/03/2025
The vulnerability identified as CVE-2024-3199 affects the Plus Addons for Elementor plugin, a popular WordPress plugin that extends the functionality of the Elementor page builder. This plugin is widely used by web developers and content creators to enhance their WordPress websites with additional widgets and features. The specific flaw resides in the countdown widget implementation within versions up to and including 5.4.2, making it a critical concern for WordPress site administrators who rely on this plugin for their website functionality.
The technical root cause of this vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase. When authenticated users with contributor privileges or higher create or modify content using the countdown widget, the plugin fails to properly sanitize user-supplied input before storing it in the database. Additionally, the output escaping is insufficient when rendering the stored content, creating an environment where malicious scripts can be persistently stored and executed. This represents a classic stored cross-site scripting vulnerability where the malicious payload is injected once and then executed every time the affected page is accessed by any user with appropriate permissions.
The operational impact of this vulnerability is significant for WordPress site owners and administrators who use the Plus Addons for Elementor plugin. An attacker with contributor-level access or higher can inject malicious scripts that will execute whenever any user views a page containing the compromised countdown widget. This creates a persistent threat vector that can be exploited to steal session cookies, perform unauthorized actions on behalf of users, redirect visitors to malicious websites, or even escalate privileges within the WordPress environment. The vulnerability affects all users who access pages containing the injected content, making it a widespread concern that could potentially compromise multiple user accounts across a single website.
Security professionals should note that this vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws in software applications. The ATT&CK framework categorizes this as a form of code injection that could lead to privilege escalation and persistent threat vectors within web applications. Organizations using this plugin should immediately update to the latest version where the vulnerability has been patched, as the issue affects the core functionality of the plugin and poses a direct risk to website security. The vulnerability demonstrates the critical importance of input validation and output escaping in web applications, particularly when dealing with user-generated content that gets rendered on public-facing web pages. Given the widespread adoption of both WordPress and the Elementor plugin ecosystem, this vulnerability has the potential to affect numerous websites and underscores the necessity of regular security updates and proper access control measures to prevent unauthorized modifications to website content.