CVE-2024-3650 in ElementsKit Elementor Addons Plugininfo

Summary

by MITRE • 05/02/2024

The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Accordion widget in all versions 3.0.7 through 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/09/2026

The ElementsKit plugin for WordPress presents a critical stored cross-site scripting vulnerability within its Image Accordion widget functionality, affecting versions ranging from 3.0.7 through 3.1.2. This vulnerability stems from inadequate input sanitization measures and insufficient output escaping mechanisms that fail to properly validate and sanitize user-supplied data before it is processed and rendered within web pages. The flaw exists specifically within the plugin's handling of user inputs in the Image Accordion widget component, creating a persistent XSS attack vector that can be exploited by authenticated attackers possessing contributor-level privileges or higher.

The technical implementation of this vulnerability allows malicious actors to inject arbitrary web scripts into the plugin's data handling processes, where these scripts become permanently stored within the WordPress database. When legitimate users access pages containing the compromised accordion widget, the stored malicious code executes in their browsers, potentially enabling unauthorized actions such as session hijacking, data theft, or redirection to malicious sites. This stored nature of the vulnerability means that the malicious payloads persist even after the initial injection, making the attack particularly dangerous as it can affect multiple users over extended periods without requiring repeated exploitation attempts.

The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with a foothold for more sophisticated attacks within the WordPress environment. Contributors and higher-level users typically have access to various administrative functions and content management capabilities, making this vulnerability particularly dangerous when exploited by malicious insiders or compromised accounts. The attack vector requires only authenticated access at the contributor level, which is often more easily obtained than higher privilege escalation techniques, making this vulnerability highly exploitable in real-world scenarios. This weakness directly aligns with CWE-79 which addresses cross-site scripting vulnerabilities, and maps to ATT&CK technique T1566.001 for initial access through malicious content.

Mitigation strategies should focus on immediate plugin version updates to the latest stable release that addresses this vulnerability, along with comprehensive input validation and output escaping implementations. Administrators should also implement strict access controls and monitor user activities for suspicious behavior patterns, particularly around content creation and modification. Additional protective measures include implementing content security policies, regular security audits of plugin installations, and establishing robust user privilege management protocols. The vulnerability demonstrates the critical importance of proper input sanitization and output escaping practices in web applications, particularly those handling user-generated content, and highlights the necessity of continuous security monitoring for third-party WordPress plugins.

Reservation

04/10/2024

Disclosure

05/02/2024

Moderation

accepted

CPE

ready

EPSS

0.00423

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!