CVE-2024-3891 in Happy Addons for Elementor Plugin
Summary
by MITRE • 05/02/2024
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via HTML tags in widgets in all versions up to, and including, 3.10.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/04/2025
The vulnerability identified as CVE-2024-3891 affects the Happy Addons for Elementor WordPress plugin, representing a critical stored cross-site scripting flaw that has significant implications for website security. This vulnerability exists in all versions up to and including 3.10.5, making it a widespread concern for users who have not yet updated their installations. The issue stems from inadequate input sanitization and output escaping mechanisms within the plugin's widget functionality, specifically when processing user-supplied attributes that contain HTML tags.
The technical exploitation of this vulnerability occurs through the manipulation of HTML content within the plugin's widgets, where user inputs are not properly validated or sanitized before being stored in the database. This allows attackers to inject malicious scripts that persist in the system and execute whenever affected pages are accessed by other users. The vulnerability is particularly concerning because it requires only contributor-level access or higher, meaning that users with relatively low privileges can exploit this weakness to compromise the entire website. This access level typically includes authors, editors, and administrators who have the ability to modify content and add widgets to pages.
From an operational perspective, the impact of this stored XSS vulnerability extends beyond simple script execution, as it can potentially enable attackers to perform session hijacking, deface websites, steal sensitive information, or redirect users to malicious sites. The persistent nature of stored XSS means that once the malicious payload is injected, it will continue to execute for all users who access the affected pages until the vulnerability is patched and the malicious content is removed from the database. This makes the vulnerability particularly dangerous in environments where multiple users have contributor access or higher privileges, as the attack surface expands significantly.
The vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws in software applications, and can be mapped to ATT&CK technique T1566.001 for initial access through spearphishing attachments and T1059.001 for command and control through the execution of malicious scripts. Organizations using the Happy Addons for Elementor plugin should prioritize immediate remediation by updating to the latest version where this vulnerability has been patched. Additionally, administrators should implement proper input validation measures and consider restricting contributor-level access to plugin functionality where possible. Regular security audits and monitoring of user activities can help detect potential exploitation attempts, while maintaining up-to-date security practices across all WordPress installations remains essential for preventing similar vulnerabilities from compromising web infrastructure.