CVE-2024-47390 in Jeg Elementor Kit Plugin
Summary
by MITRE • 10/05/2024
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme Jeg Elementor Kit jeg-elementor-kit allows Stored XSS.This issue affects Jeg Elementor Kit: from n/a through <= 2.6.8.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/05/2026
The vulnerability identified as CVE-2024-47390 represents a critical cross-site scripting weakness within the Jeg Elementor Kit plugin for WordPress, specifically affecting versions up to and including 2.6.8. This flaw resides in the improper neutralization of input during web page generation processes, creating an avenue for malicious actors to execute persistent XSS attacks against unsuspecting users. The vulnerability manifests when the plugin fails to adequately sanitize user-supplied data before incorporating it into dynamically generated web pages, thereby allowing attackers to inject malicious scripts that persist in the application's database.
The technical nature of this vulnerability aligns with CWE-79, which describes improper neutralization of input during web page generation, commonly known as cross-site scripting. This weakness enables attackers to inject malicious client-side scripts into web pages viewed by other users, potentially compromising user sessions, stealing sensitive information, or redirecting users to malicious sites. The stored nature of this XSS vulnerability means that the malicious payload is permanently stored within the application's database and executed whenever affected pages are accessed, making it particularly dangerous as the attack vector persists beyond individual user interactions.
From an operational impact perspective, this vulnerability presents significant risks to WordPress websites utilizing the Jeg Elementor Kit plugin. Attackers can exploit this weakness to execute arbitrary JavaScript code within users' browsers, potentially leading to session hijacking, credential theft, data exfiltration, or defacement of web content. The stored XSS nature means that once an attacker successfully injects malicious code, it will affect all users who access the affected pages until the vulnerability is patched and the malicious content is removed from the database. This persistent threat makes the vulnerability particularly concerning for websites with high user engagement or those handling sensitive information.
Organizations and website administrators should prioritize immediate remediation of this vulnerability by upgrading to the latest version of the Jeg Elementor Kit plugin where the XSS flaw has been addressed. The remediation process should include comprehensive testing to ensure that all stored malicious content has been properly removed from the database and that the updated plugin functions correctly without introducing new issues. Additionally, implementing proper input validation and output encoding mechanisms, following the OWASP XSS Prevention Cheat Sheet recommendations, can help prevent similar vulnerabilities in the future. Security monitoring should also be enhanced to detect potential exploitation attempts, and regular security audits should be conducted to identify and address other potential XSS vulnerabilities within the WordPress ecosystem. The ATT&CK framework categorizes this vulnerability under T1566.001 - Phishing, as attackers can leverage this weakness to deliver malicious payloads through compromised websites, making it a critical target for immediate mitigation efforts.