CVE-2024-4980 in WPKoi Templates for Elementor Plugin
Summary
by MITRE • 05/22/2024
The WPKoi Templates for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'id', 'mixColor', 'backgroundColor', 'saveInCookies', and 'autoMatchOsTheme' parameters in all versions up to, and including, 2.5.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/28/2025
The vulnerability identified as CVE-2024-4980 affects the WPKoi Templates for Elementor WordPress plugin, specifically targeting versions up to and including 2.5.9. This represents a critical security flaw that enables authenticated attackers with Contributor-level privileges or higher to execute stored cross-site scripting attacks within the WordPress environment. The vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase, creating a persistent security risk that can affect all users who access compromised pages.
The technical flaw manifests through multiple parameter vectors including 'id', 'mixColor', 'backgroundColor', 'saveInCookies', and 'autoMatchOsTheme' which are processed without proper validation or sanitization. When these parameters are submitted through user input forms or API endpoints, the plugin fails to adequately escape or filter the data before storing it in the database or rendering it in web pages. This stored data then executes as malicious scripts whenever any user accesses pages containing the injected content, creating a persistent threat that can affect multiple users over time. The vulnerability operates at the application layer and directly impacts the integrity of the WordPress content management system.
The operational impact of this vulnerability is significant as it allows attackers to establish persistent malicious presence within the WordPress installation. An attacker with Contributor-level access can inject scripts that may perform various malicious activities including but not limited to cookie theft, session hijacking, redirection to malicious sites, or data exfiltration. The stored nature of the XSS vulnerability means that the malicious scripts remain active even after the initial injection, continuously affecting any user who accesses the compromised pages. This creates a persistent backdoor that can be exploited by attackers to maintain access and conduct further malicious activities within the compromised environment.
The vulnerability aligns with CWE-79 which describes Cross-Site Scripting flaws in web applications, and represents a specific implementation weakness in the plugin's data handling processes. From an ATT&CK framework perspective, this vulnerability maps to techniques involving credential access and persistence mechanisms, as attackers can use the stored XSS to steal user sessions or maintain long-term access to the WordPress installation. Organizations should immediately implement mitigation strategies including updating to patched versions of the plugin, implementing proper input validation and output escaping mechanisms, and conducting thorough security audits of all installed plugins to identify similar vulnerabilities. The threat landscape for WordPress environments continues to evolve, and this vulnerability highlights the critical importance of maintaining up-to-date security practices for content management systems.