CVE-2024-4643 in Element Pack Elementor Addons Plugin
Summary
by MITRE • 08/02/2024
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘end_redirect_link’ parameter in versions up to, and including, 5.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/05/2026
The Element Pack Elementor Addons plugin for WordPress represents a popular extension that enhances website functionality through various addons including header footer templates, dynamic grid and carousel features, and remote arrows. This vulnerability affects versions up to and including 5.7.1, making it a significant security concern for WordPress installations that utilize this plugin. The flaw manifests as a stored cross-site scripting vulnerability that can be exploited by authenticated attackers possessing contributor-level permissions or higher, demonstrating the critical nature of privilege escalation in web application security.
The technical flaw resides in the insufficient input sanitization and output escaping mechanisms within the plugin's handling of the 'end_redirect_link' parameter. When users with appropriate permissions submit data containing malicious script code through this parameter, the plugin fails to properly sanitize the input before storing it in the database. This stored data is then subsequently retrieved and displayed without proper output escaping, creating an environment where malicious scripts can execute in the context of other users' browsers. The vulnerability operates as a classic stored XSS attack where the malicious payload is permanently stored on the server and executed each time the affected page is accessed.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform a wide range of malicious activities including session hijacking, credential theft, and data exfiltration. An attacker with contributor privileges can inject scripts that redirect users to malicious sites, steal cookies, or modify page content to deceive users. The vulnerability is particularly dangerous because it requires minimal privileges to exploit, making it accessible to users who may not have administrative access but still possess the ability to modify content. This creates a significant risk for WordPress sites where contributor-level users have access to the plugin's administrative interface.
The vulnerability can be classified under CWE-79 as a Cross-Site Scripting flaw, specifically manifesting as a stored XSS vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. From an ATT&CK framework perspective, this vulnerability aligns with techniques such as T1566.001 (Phishing via Social Media) and T1059.001 (Command and Scripting Interpreter) as attackers can use the stored scripts to execute commands or redirect users to malicious domains. The attack vector requires the attacker to have at least contributor-level permissions, which represents a significant risk since many WordPress sites grant these permissions to users who are not fully trusted administrators.
Mitigation strategies should include immediate patching to versions that address the input sanitization and output escaping issues, proper permission management to restrict contributor access to plugin configuration interfaces, and regular security audits of WordPress installations. Organizations should implement input validation mechanisms that properly sanitize all user-supplied data before storage and ensure that all output is properly escaped to prevent script execution. Additionally, monitoring for unusual administrative activities and implementing web application firewalls can provide additional layers of defense against exploitation attempts. The vulnerability serves as a reminder of the importance of proper input validation and output escaping in preventing cross-site scripting attacks, particularly in content management systems where multiple user roles may have varying levels of access to plugin features.