CVE-2024-3728 in Essential Addons for Elementor Plugin
Summary
by MITRE • 05/02/2024
The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Filterable Gallery & Interactive Circle widgets in all versions up to, and including, 5.9.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/02/2025
The Essential Addons for Elementor plugin represents a popular WordPress extension that provides various widgets and templates for the Elementor page builder platform. This particular vulnerability affects versions up to and including 5.9.15, making it a significant concern for WordPress sites that rely on this plugin for their frontend functionality. The vulnerability specifically targets two widgets within the plugin: the Filterable Gallery and Interactive Circle widgets, which are commonly used to create interactive and visually appealing content elements on websites. The flaw exists in how the plugin handles user-supplied input data, particularly within these specific widget implementations.
The technical nature of this vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase. When authenticated users with contributor-level access or higher interact with the Filterable Gallery and Interactive Circle widgets, they can inject malicious JavaScript code through various attributes that control the widget's behavior and appearance. The plugin fails to properly validate or sanitize the input data before storing it in the WordPress database, and subsequently fails to properly escape the output when rendering the widgets on frontend pages. This combination of insufficient input validation and output escaping creates a persistent XSS vulnerability that can be exploited across multiple user sessions.
The operational impact of this vulnerability is substantial, particularly for WordPress sites that maintain contributor-level user accounts or have more privileged users who might be compromised. Attackers with access to these user accounts can inject malicious scripts that execute whenever any user accesses pages containing the compromised widgets. This creates a persistent threat vector that can be used to steal session cookies, redirect users to malicious sites, perform actions on behalf of users, or even escalate privileges within the WordPress environment. The vulnerability affects not just the immediate site but can potentially be used to compromise multiple users who access the affected pages, making it particularly dangerous in multi-user environments.
The vulnerability aligns with CWE-79 which describes Cross-Site Scripting flaws, specifically highlighting the failure to sanitize user-supplied input data. From an ATT&CK framework perspective, this vulnerability maps to techniques involving initial access through compromised credentials and privilege escalation through persistent web-based attacks. The exploit requires minimal technical expertise since it leverages existing user privileges and the plugin's legitimate functionality to deliver malicious payloads. Organizations should immediately update to the latest version of the Essential Addons for Elementor plugin to remediate this vulnerability, as no workarounds exist for this specific flaw. Additionally, administrators should monitor user accounts for unauthorized access and implement proper access controls to limit contributor-level privileges where possible. Regular security audits of WordPress plugins and themes remain essential for maintaining overall security posture against such persistent threats.