CVE-2024-3647 in Premium Addons for Elementor Plugininfo

Summary

by MITRE • 05/02/2024

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's post ticker widget in all versions up to, and including, 4.10.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires the premium version of the plugin to be installed and activated in order to be exploited.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 04/03/2025

The vulnerability identified as CVE-2024-3647 affects the Premium Addons for Elementor plugin, a popular WordPress plugin that extends the functionality of the Elementor page builder. This plugin provides additional widgets and features to enhance website creation capabilities, with the affected component being the post ticker widget that displays dynamic content on websites. The vulnerability exists in versions up to and including 4.10.28, making it a significant concern for WordPress site administrators who rely on this plugin for their website functionality. The issue stems from inadequate input sanitization and output escaping mechanisms that fail to properly validate or sanitize user-supplied data before processing it within the plugin's codebase.

The technical flaw manifests as a stored cross-site scripting vulnerability that allows authenticated attackers with contributor-level privileges or higher to inject malicious scripts into the plugin's post ticker widget. This type of vulnerability falls under CWE-79 which specifically addresses Cross-Site Scripting flaws where improper validation of input data leads to execution of malicious code in the context of the victim's browser. The vulnerability is particularly dangerous because it requires minimal privilege levels to exploit, as contributors typically have the ability to create and edit posts, which can be leveraged to inject scripts that will execute whenever any user accesses pages containing the malicious content. The attacker does not need to be an administrator but can leverage their contributor access to compromise other users who view the affected pages.

The operational impact of this vulnerability extends beyond simple script execution as it can enable attackers to perform various malicious activities including session hijacking, credential theft, data exfiltration, and redirection to malicious websites. When users with higher privileges access pages containing the injected scripts, the attacker can potentially escalate their privileges or gain access to sensitive information within the WordPress environment. The requirement for the premium version to be installed and activated adds an additional layer of complexity as it means that attackers must first identify sites using this specific plugin before attempting exploitation. This makes the vulnerability more targeted but also more dangerous when present, as it can be leveraged to compromise entire WordPress installations that rely on the premium features of this plugin.

The exploitation of this vulnerability demonstrates a clear violation of the principle of least privilege and proper input validation in web applications. According to ATT&CK framework category T1059.001 for Command and Scripting Interpreter, the stored XSS vulnerability creates an environment where attackers can execute arbitrary code in victim browsers. Organizations should immediately implement mitigation strategies including updating to the latest version of the plugin where the vulnerability has been patched, implementing proper input sanitization on all user-supplied data, and conducting thorough security audits of all installed plugins. Additionally, administrators should consider implementing web application firewalls, monitoring for suspicious script injections, and establishing regular security assessments to identify and remediate similar vulnerabilities across their WordPress installations. The vulnerability underscores the critical importance of maintaining up-to-date security practices and the necessity of validating all user input to prevent exploitation of such persistent security flaws.

Responsible

Wordfence

Reservation

04/10/2024

Disclosure

05/02/2024

Moderation

accepted

CPE

ready

EPSS

0.00444

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!