CVE-2024-4896 in WPB Elementor Addons
Summary
by MITRE • 05/22/2024
The WPB Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/28/2025
The WPB Elementor Addons plugin represents a popular extension for WordPress that enhances the functionality of the Elementor page builder. This particular vulnerability affects all versions up to and including 1.0.9, creating a significant security risk for WordPress installations that utilize this plugin. The vulnerability stems from inadequate input validation and output escaping mechanisms within the plugin's codebase, specifically in how it handles the 'url' parameter. This flaw allows malicious actors with Contributor-level privileges or higher to exploit the system and inject persistent malicious scripts into web pages.
The technical nature of this vulnerability classifies as a stored cross-site scripting flaw, which means that malicious scripts are permanently stored on the server and executed whenever users access the affected pages. The vulnerability occurs because the plugin fails to properly sanitize user input before processing the 'url' parameter, and subsequently fails to adequately escape output when rendering content. This combination creates an environment where attacker-controlled data can be injected into the plugin's processing pipeline without proper validation, allowing for persistent script injection that can affect any user who views the compromised pages.
The operational impact of this vulnerability is substantial as it requires only Contributor-level access to exploit, which is a relatively low privilege level within WordPress. This means that users who have been granted editing capabilities, such as content authors or editors, can leverage this vulnerability to execute malicious code on behalf of other users. The stored nature of the XSS attack ensures that the malicious scripts persist indefinitely until manually removed, potentially affecting all visitors to the compromised website. This vulnerability undermines the integrity of the WordPress site and can lead to various secondary attacks including credential theft, session hijacking, or redirection to malicious sites.
Security professionals should note that this vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws in software applications. The ATT&CK framework categorizes this as a technique involving code injection, specifically within the context of web application exploitation. Organizations should prioritize immediate remediation by updating to the latest version of the WPB Elementor Addons plugin where this vulnerability has been addressed. Additionally, administrators should implement proper input validation measures and consider restricting user privileges to prevent unauthorized access to plugin settings. The vulnerability demonstrates the critical importance of proper sanitization and escaping mechanisms in web applications, particularly when handling user-provided data in content management systems.