CVE-2024-3645 in Essential Addons for Elementor Pro Plugin
Summary
by MITRE • 04/22/2024
The Essential Addons for Elementor Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Counter widget in all versions up to, and including, 5.8.11 due to insufficient input sanitization and output escaping on user supplied attributes such as 'title_html_tag'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/05/2025
The vulnerability identified as CVE-2024-3645 affects the Essential Addons for Elementor Pro plugin, a popular WordPress plugin used for creating custom website elements and widgets. This particular flaw exists within the Counter widget functionality and impacts all versions up to and including 5.8.11, representing a significant security risk for WordPress installations that rely on this plugin for their website construction and content management.
The technical flaw stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase. Specifically, the vulnerability occurs when user-supplied attributes such as 'title_html_tag' are not properly validated or escaped before being rendered in web pages. This insufficient sanitization creates an environment where malicious scripts can be stored within the plugin's data structures and subsequently executed when pages containing these scripts are accessed by other users. The vulnerability is classified as a stored cross-site scripting vulnerability, meaning that the malicious code is permanently stored on the server and executed every time affected pages are loaded.
The operational impact of this vulnerability is particularly concerning given that it requires only contributor-level access or higher to exploit, which represents a relatively low privilege threshold for WordPress administrators. This means that attackers who have gained access to a contributor account or higher can inject malicious scripts that will execute whenever any user accesses pages containing the compromised Counter widget. The vulnerability affects any user who views pages containing the malicious content, making it potentially dangerous for sites with multiple users or public-facing content. This type of vulnerability can be leveraged to steal user sessions, redirect visitors to malicious sites, or perform other malicious activities that compromise the security and integrity of the affected WordPress installation.
From a cybersecurity perspective, this vulnerability aligns with CWE-79 (Cross-site Scripting) and represents a classic example of how insufficient input validation can create persistent security risks. The ATT&CK framework categorizes this type of vulnerability under T1566 (Phishing) and T1059 (Command and Scripting Interpreter) as attackers can use stored XSS to deliver malicious payloads and establish persistent access to target systems. Organizations using this plugin should immediately implement mitigations including updating to the latest version of the plugin where the vulnerability has been patched, implementing additional input validation measures, and monitoring for suspicious activity in user accounts that have contributor or higher privileges.
The vulnerability demonstrates the critical importance of proper input sanitization and output escaping in web applications, particularly in content management systems where user-generated content is prevalent. Security practitioners should consider this vulnerability as part of their broader security assessment of WordPress environments, ensuring that all plugins and themes undergo regular security reviews and that proper access controls are maintained to prevent privilege escalation attacks. Organizations should also implement monitoring solutions that can detect anomalous script injection patterns and maintain up-to-date security patches across all WordPress components to prevent exploitation of similar vulnerabilities in the future.