CVE-2024-4087 in Royal Elementor Addons and Templates Plugin
Summary
by MITRE • 06/01/2024
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Back to Top widget in all versions up to, and including, 1.3.975 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/26/2025
The Royal Elementor Addons and Templates plugin for WordPress presents a critical stored cross-site scripting vulnerability identified as CVE-2024-4087 affecting versions through 1.3.975. This vulnerability resides within the plugin's Back to Top widget functionality, representing a significant security weakness that undermines the integrity of WordPress installations. The flaw stems from inadequate input sanitization and output escaping mechanisms that fail to properly validate or sanitize user-supplied attributes before processing them within the plugin's codebase. This vulnerability specifically targets authenticated attackers who possess contributor-level access or higher privileges within the WordPress environment, making it particularly concerning as it can be exploited by users who already have elevated permissions to compromise other users within the same system.
The technical implementation of this vulnerability allows attackers to inject malicious scripts into the plugin's Back to Top widget functionality through user-supplied attributes that are not adequately sanitized. When these attributes are processed and rendered in subsequent page requests, the injected scripts execute in the context of other users who access pages containing the compromised widget. This stored nature of the vulnerability means that the malicious code persists in the system and executes automatically whenever affected pages are accessed, creating a persistent threat vector that can affect multiple users over time. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and represents a classic case of insufficient input validation where user-provided data flows directly into output without proper sanitization or escaping mechanisms.
The operational impact of CVE-2024-4087 extends beyond simple script execution as it enables attackers to potentially escalate their privileges, steal session cookies, perform unauthorized actions on behalf of other users, or redirect victims to malicious websites. Since contributors and above have the ability to modify content and widgets within WordPress, an attacker with these privileges can create a persistent backdoor or malicious payload that affects all users who view pages containing the compromised widget. This vulnerability particularly threatens WordPress sites that rely heavily on Elementor for page building, as the Back to Top widget is commonly used and the injection point is accessible through standard content management interfaces. The attack vector follows the typical STIX pattern where authenticated users with limited privileges can leverage the vulnerability to achieve broader system compromise, making it a significant concern for WordPress administrators managing multi-user environments.
Organizations should immediately implement mitigations including updating to the latest version of the Royal Elementor Addons and Templates plugin where the vulnerability has been addressed. Administrators should also consider implementing additional security measures such as restricting contributor-level access to widget modifications, implementing web application firewalls with XSS detection capabilities, and conducting regular security audits of installed plugins. The vulnerability demonstrates the importance of proper input validation and output escaping practices as outlined in the OWASP Top Ten security principles, particularly the need for defensive programming techniques that prevent malicious data from being executed as code. Additionally, organizations should consider implementing the principle of least privilege by limiting user permissions to only what is necessary for their specific roles, thereby reducing the potential impact of such vulnerabilities. The ATT&CK framework categorizes this vulnerability under T1059.005 for command and scripting interpreter, as the malicious scripts can execute system commands or manipulate application behavior through the compromised widget functionality.