CVE-2024-3890 in Happy Addons for Elementor Plugin
Summary
by MITRE • 04/26/2024
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Calendly widget in all versions up to, and including, 3.10.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/03/2025
The vulnerability identified as CVE-2024-3890 affects the Happy Addons for Elementor WordPress plugin, specifically targeting the Calendly widget functionality within versions up to and including 3.10.5. This represents a critical security flaw that exploits the plugin's inadequate input validation mechanisms and insufficient output escaping practices. The vulnerability is classified as a stored cross-site scripting vulnerability, meaning that malicious scripts can be permanently stored on the server and executed whenever affected pages are accessed by unsuspecting users. The flaw exists in the plugin's handling of user-supplied attributes within the Calendly widget implementation, creating an attack vector that can be exploited by authenticated users possessing contributor-level privileges or higher.
The technical exploitation of this vulnerability occurs through the manipulation of input parameters within the Calendly widget configuration. When administrators or users with contributor-level access configure the widget, they can inject malicious JavaScript code into the widget attributes that are not properly sanitized before being stored in the database. This stored content is then served to other users when they access pages containing the compromised widget, executing the injected scripts in the context of the victim's browser session. The vulnerability stems from the plugin's failure to implement proper input sanitization techniques and output escaping mechanisms that would normally prevent malicious code from being executed in web contexts. This weakness aligns with CWE-79, which specifically addresses Cross-Site Scripting vulnerabilities resulting from insufficient input validation and output escaping.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to perform various malicious activities within the compromised WordPress environment. Authenticated attackers can leverage this vulnerability to steal session cookies, redirect users to malicious websites, inject additional malicious content, or even perform actions on behalf of other users with the privileges of the compromised accounts. The vulnerability particularly affects WordPress sites using the Happy Addons plugin where users with contributor-level access or higher can manipulate the Calendly widget settings. This creates a significant risk for sites that do not properly enforce role-based access controls or monitor user activities within their WordPress installations. The stored nature of the vulnerability means that once exploited, the malicious code persists until manually removed, potentially affecting multiple users over extended periods.
Mitigation strategies for this vulnerability require immediate action from site administrators, including updating to the latest version of the Happy Addons plugin where the vulnerability has been addressed. Organizations should also implement additional security measures such as regular monitoring of user activities, particularly for users with contributor-level access or higher, and conducting thorough security audits of third-party plugins. The implementation of Content Security Policy headers can provide additional protection against script execution, while regular security scanning and penetration testing can help identify similar vulnerabilities in other plugins or themes. System administrators should also consider implementing web application firewalls to detect and block malicious input attempts. According to ATT&CK framework category T1548.003, this vulnerability could be exploited as part of privilege escalation techniques, making it particularly dangerous for attackers seeking to maintain persistent access to compromised systems. The vulnerability highlights the importance of proper input validation and output escaping practices in web applications, emphasizing the need for developers to follow secure coding standards throughout the software development lifecycle.