CVE-2024-50449 in PDF Generator Addon for Elementor Page Builder Plugininfo

Summary

by MITRE • 10/28/2024

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RedefiningTheWeb PDF Generator Addon for Elementor Page Builder pdf-generator-addon-for-elementor-page-builder allows Stored XSS.This issue affects PDF Generator Addon for Elementor Page Builder: from n/a through <= 1.7.4.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 04/06/2026

This vulnerability represents a critical cross-site scripting flaw that specifically targets the PDF Generator Addon for Elementor Page Builder, a widely used WordPress plugin for creating PDF documents from web pages. The issue manifests as an improper neutralization of input during web page generation, creating a persistent stored XSS attack vector that can compromise user sessions and execute malicious code within the context of the affected website. The vulnerability affects versions up to and including 1.7.4, indicating that users running older versions remain at significant risk of exploitation.

The technical implementation of this flaw occurs when the plugin fails to properly sanitize user input before incorporating it into dynamically generated PDF documents. When administrators or users with appropriate privileges enter malicious script code into fields that are later processed by the PDF generator, the script gets stored in the database and subsequently executed whenever the PDF is generated or viewed. This stored nature of the vulnerability means that the malicious payload persists even after the initial input, making it particularly dangerous as it can affect multiple users over time. The vulnerability falls under CWE-79 which specifically addresses cross-site scripting flaws, and more precisely maps to CWE-80 which deals with improper neutralization of input during web page generation.

From an operational impact perspective, this vulnerability creates a severe security risk for WordPress websites utilizing Elementor page builder with the PDF generator addon. Attackers can exploit this flaw to execute arbitrary JavaScript code in the browsers of unsuspecting users who view the generated PDF documents, potentially leading to session hijacking, credential theft, or redirection to malicious sites. The attack surface is particularly concerning because the vulnerability affects a plugin that is commonly used across various website types, from small business sites to enterprise applications. The stored nature of the XSS means that a single successful exploitation can compromise multiple users over time, making this a persistent threat that requires immediate attention.

The security implications extend beyond simple script execution, as this vulnerability aligns with ATT&CK technique T1566.001 which covers spearphishing attachments, and T1059.007 which involves scripting languages. The vulnerability creates opportunities for attackers to establish persistent access through the PDF generation functionality, potentially allowing them to modify content, steal sensitive information, or use the compromised site as a launchpad for further attacks. Organizations using this plugin should consider the broader implications of a compromised PDF generation system, as it could provide attackers with access to user data and potentially allow for privilege escalation within the WordPress environment. The remediation approach should include immediate version updates, input validation implementation, and comprehensive security auditing of all user-generated content processing within the affected system.

The vulnerability demonstrates the critical importance of proper input sanitization in web applications, particularly in plugins that handle user-generated content and generate dynamic output. Security teams should prioritize patching this vulnerability immediately and implement additional monitoring for suspicious PDF generation activities. Organizations should also consider implementing web application firewalls and content security policies to provide additional layers of protection against similar vulnerabilities in their web applications.

Responsible

Patchstack

Reservation

10/24/2024

Disclosure

10/28/2024

Moderation

accepted

CPE

ready

EPSS

0.00248

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!