CVE-2024-47383 in The Pack Elementor addons Plugininfo

Summary

by MITRE • 10/05/2024

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webangon The Pack Elementor addons the-pack-addon allows Stored XSS.This issue affects The Pack Elementor addons: from n/a through <= 2.0.8.8.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 04/05/2026

The vulnerability identified as CVE-2024-47383 represents a critical cross-site scripting flaw within the Pack Elementor addons plugin, specifically affecting versions up to and including 2.0.8.8. This weakness enables attackers to inject malicious scripts into web pages that are then executed by other users, creating a persistent security risk for websites utilizing this plugin. The vulnerability manifests during the web page generation process where input validation and sanitization mechanisms fail to properly neutralize user-supplied data before it is rendered in the browser context.

This stored cross-site scripting vulnerability stems from inadequate input sanitization within the plugin's content management system. When administrators or users submit content through the Pack Elementor addons interface, the plugin fails to adequately filter or escape special characters that could be interpreted as executable script code. The flaw allows attackers to store malicious payloads within the plugin's database or configuration files, which are then served to unsuspecting visitors when they access affected pages. The vulnerability falls under CWE-79 - Improper Neutralization of Input During Web Page Generation, which is a fundamental weakness in web application security that directly enables XSS attacks.

The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform session hijacking, deface websites, steal sensitive user data, or redirect victims to malicious sites. Given that Elementor addons are commonly used across various website types including business, educational, and government platforms, the potential attack surface is extensive. The stored nature of this XSS means that once an attacker successfully injects malicious code, it will persist and affect all users who visit the affected pages until the vulnerability is patched. This makes the vulnerability particularly dangerous as it can remain undetected for extended periods while continuously compromising user sessions and data integrity.

Security practitioners should immediately implement mitigations including updating to the latest version of The Pack Elementor addons plugin where the vulnerability has been addressed. Organizations should also deploy web application firewalls with XSS detection capabilities and implement Content Security Policy headers to limit script execution. The ATT&CK framework categorizes this vulnerability under T1566 - Phishing, as attackers can leverage the stored XSS to craft convincing phishing campaigns that appear legitimate within the compromised website environment. Additionally, implementing proper input validation at multiple layers including client-side and server-side validation, along with regular security auditing of third-party plugins, can significantly reduce the risk of exploitation. The vulnerability underscores the critical importance of maintaining up-to-date plugins and following secure coding practices to prevent input sanitization failures that could compromise entire web applications.

Responsible

Patchstack

Reservation

09/24/2024

Disclosure

10/05/2024

Moderation

accepted

CPE

ready

EPSS

0.00247

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!