CVE-2024-35709 in Plus Addons for Elementor Page Builder Lite Plugin
Summary
by MITRE • 06/08/2024
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite the-plus-addons-for-elementor-page-builder.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through <= 5.5.4.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/02/2026
The vulnerability identified as CVE-2024-35709 represents a critical cross-site scripting flaw within the Plus Addons for Elementor Page Builder Lite plugin, specifically impacting versions through 5.5.4. This weakness resides in the improper neutralization of input during web page generation processes, creating a pathway for malicious actors to inject and execute arbitrary script code within the context of affected websites. The vulnerability stems from insufficient sanitization of user-supplied input that is subsequently rendered in web pages without adequate encoding or validation measures.
The technical implementation of this XSS vulnerability occurs when the plugin processes user input through its Elementor page builder interface, failing to properly escape or sanitize data before incorporating it into dynamically generated HTML content. Attackers can exploit this by crafting malicious input within plugin settings or content fields that gets rendered on pages without proper security controls. This flaw allows for the execution of malicious scripts in the victim's browser context, potentially enabling session hijacking, defacement, or data exfiltration. The vulnerability specifically affects the plugin's handling of input parameters that are used to generate dynamic web content, making it particularly dangerous in environments where administrators or users may interact with the plugin's configuration interfaces.
The operational impact of this vulnerability extends beyond simple script execution, as it can lead to complete compromise of affected websites and their user bases. An attacker who successfully exploits this vulnerability can manipulate the content of web pages, redirect users to malicious sites, steal cookies and session tokens, or even perform administrative actions if the attacker can gain access to privileged user accounts. The vulnerability is particularly concerning because it affects a widely used page builder plugin, meaning that numerous websites utilizing Elementor may be at risk. The issue affects all versions from the initial release through version 5.5.4, indicating a long-standing problem that has persisted across multiple iterations of the software.
Security mitigation strategies for this vulnerability should focus on immediate remediation through plugin updates to versions that address the XSS flaw. Organizations should implement comprehensive input validation and output encoding mechanisms to prevent similar issues in the future. The vulnerability aligns with CWE-79, which specifically addresses cross-site scripting vulnerabilities, and can be categorized under ATT&CK technique T1566.001 for initial access through malicious web content. Additionally, implementing Content Security Policy headers, regular security audits of third-party plugins, and maintaining up-to-date security practices can significantly reduce the risk of exploitation. Organizations should also consider implementing web application firewalls and monitoring for suspicious input patterns to detect potential attempts to exploit this vulnerability.