CVE-2024-49667 in Local Business Addons for Elementor Plugin
Summary
by MITRE • 10/29/2024
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Asaduzzaman Abir Local Business Addons For Elementor map-addons-for-elementor-waze-map allows Stored XSS.This issue affects Local Business Addons For Elementor: from n/a through <= 1.1.5.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/07/2026
This cross-site scripting vulnerability exists within the Local Business Addons For Elementor plugin, specifically in the map-addons-for-elementor-waze-map component, where improper input sanitization allows attackers to inject malicious scripts into web pages. The vulnerability manifests as a stored XSS flaw that enables persistent malicious code execution when legitimate users view affected pages. The issue impacts all versions of the plugin up to and including version 1.1.5, indicating a widespread exposure across multiple releases. This type of vulnerability falls under CWE-79 which defines improper neutralization of input during web page generation as a critical weakness in web applications. The stored nature of this XSS means that malicious payloads are permanently saved on the server and executed whenever affected pages are accessed, making it particularly dangerous for website administrators and their visitors.
The technical exploitation of this vulnerability occurs through the plugin's handling of user-supplied data within map-related functionality, where input parameters are not properly sanitized before being rendered in web pages. Attackers can craft malicious scripts that get stored in the plugin's data storage and subsequently executed in the context of other users' browsers. This creates a persistent threat where the malicious code runs automatically whenever affected pages are loaded, potentially allowing attackers to steal session cookies, perform unauthorized actions on behalf of users, or redirect them to malicious sites. The vulnerability represents a failure in input validation and output encoding practices that should prevent dangerous characters and script tags from being processed as executable code within the web application's response.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to compromise entire user sessions and potentially gain unauthorized access to administrative functions. Website owners using affected versions face significant risks including data theft, unauthorized content modification, and potential full system compromise through session hijacking. The vulnerability affects the core functionality of the Elementor plugin ecosystem, which is widely used for website building, making the attack surface particularly large. This type of vulnerability aligns with ATT&CK technique T1531 which involves modifying existing programs or processes to gain persistence, and T1190 which covers exploiting vulnerabilities in web applications. The exposure period for this vulnerability spans across multiple versions, indicating that many users may be unknowingly running vulnerable code without awareness of the security risks.
Mitigation strategies should focus on immediate plugin updates to versions that address the XSS vulnerability, with administrators verifying that the updated versions properly sanitize all user inputs before rendering them in web contexts. Security measures must include implementing proper input validation using allowlists of acceptable characters, implementing output encoding for all dynamic content, and conducting thorough security testing of all user-supplied data handling within the plugin. Organizations should also implement web application firewalls to detect and block malicious script injection attempts, and conduct regular security audits of their Elementor plugin installations. The vulnerability demonstrates the critical importance of input sanitization in web applications and highlights the need for continuous security monitoring and patch management processes to protect against known vulnerabilities. Additionally, administrators should consider implementing Content Security Policy headers to further limit script execution and reduce the impact of potential XSS attacks.