CVE-2024-38674 in SKT Addons for Elementor Plugininfo

Summary

by MITRE • 07/20/2024

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in SKT Themes SKT Addons for Elementor allows Stored XSS.This issue affects SKT Addons for Elementor: from n/a through 2.1.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 03/17/2025

The vulnerability CVE-2024-38674 represents a critical security flaw in the SKT Addons for Elementor plugin that enables stored cross-site scripting attacks. This weakness occurs during the web page generation process when user input is improperly sanitized or neutralized before being rendered in web pages. The vulnerability specifically affects versions of the SKT Addons plugin ranging from the initial release through version 2.1, making a substantial portion of the user base potentially susceptible to exploitation. The issue stems from the plugin's failure to adequately validate and sanitize user-supplied data that gets stored in the system and subsequently executed in web browsers.

The technical implementation of this vulnerability allows attackers to inject malicious scripts into the plugin's data storage mechanisms. When legitimate users view pages generated by the affected plugin, their browsers execute the stored malicious code, creating a persistent threat that can affect multiple users over time. This stored XSS vulnerability differs from reflected XSS attacks because the malicious payload is saved server-side and then served to other users without requiring them to click on a specific link or perform additional actions. The flaw resides in the input validation and output encoding processes within the Elementor page builder extension, where user-generated content is not properly escaped or filtered before being written to the database or rendered in the frontend.

From an operational standpoint, this vulnerability presents significant risks to websites using the SKT Addons plugin. Attackers can leverage this flaw to steal user session cookies, perform unauthorized actions on behalf of logged-in users, redirect victims to malicious websites, or even deface web pages. The stored nature of the attack means that once the malicious code is injected, it can affect all users who access the compromised pages until the vulnerability is patched and the malicious content is removed. This makes the attack particularly dangerous for websites with high user traffic or those that rely on user-generated content, as the impact can scale rapidly across multiple visitors. The vulnerability also poses risks to website owners' reputations and can lead to potential data breaches or unauthorized access to sensitive information.

Security mitigation strategies for this vulnerability should prioritize immediate patching of the affected plugin to version 2.2 or later, which contains the necessary fixes for the XSS flaw. Website administrators should also implement additional defensive measures such as content security policies to limit script execution, regular monitoring of plugin files for unauthorized modifications, and implementing web application firewalls that can detect and block malicious script injection attempts. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and it maps to ATT&CK technique T1566.001 for credential access through social engineering or exploitation of web application vulnerabilities. Organizations should conduct thorough security assessments of their Elementor-based websites and ensure all third-party plugins are kept current with security updates to prevent exploitation of similar vulnerabilities in their web applications.

Responsible

Patchstack

Reservation

06/19/2024

Disclosure

07/20/2024

Moderation

accepted

CPE

ready

EPSS

0.00317

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!