CVE-2024-5073 in Essential Addons for Elementor Plugin
Summary
by MITRE • 05/30/2024
The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Twitter Feed component in all versions up to, and including, 5.9.21 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/27/2025
The vulnerability identified as CVE-2024-5073 affects the Essential Addons for Elementor plugin, a popular WordPress plugin that provides various templates, widgets, and builders for the Elementor page builder. This plugin is widely used across WordPress installations to enhance website functionality and design capabilities. The vulnerability specifically resides within the Twitter Feed component of the plugin, which allows users to display Twitter content on their websites. The issue impacts all versions up to and including 5.9.21, making it a significant concern for WordPress site administrators who rely on this plugin for their website functionality.
The technical flaw stems from insufficient input sanitization and output escaping mechanisms within the plugin's Twitter Feed implementation. When authenticated attackers with Contributor-level access or higher submit malicious input through the Twitter Feed component, the plugin fails to properly sanitize this data before storing it in the WordPress database. This stored data is then later retrieved and displayed on pages without adequate output escaping, creating a classic stored cross-site scripting vulnerability. The vulnerability is particularly concerning because it requires only Contributor-level privileges, which are often granted to trusted users who may not be fully aware of the security implications of their actions.
The operational impact of this vulnerability is substantial as it provides attackers with a persistent means of executing malicious scripts on victim websites. Once an attacker gains Contributor-level access, they can inject JavaScript code that will execute whenever any user accesses a page containing the injected content. This creates a vector for various malicious activities including credential theft, session hijacking, defacement of website content, and redirection to malicious sites. The stored nature of the vulnerability means that the malicious scripts persist even after the initial attack, continuing to affect users until the malicious content is manually removed or the plugin is updated.
From a cybersecurity perspective, this vulnerability aligns with CWE-79, which describes Cross-Site Scripting flaws, and maps to several ATT&CK techniques including T1566 for credential access through social engineering and T1059 for command and scripting interpreter. The vulnerability also demonstrates poor input validation practices that violate the principle of least privilege and proper security controls. Organizations should immediately update to the latest version of the Essential Addons for Elementor plugin to address this vulnerability, as the affected versions pose a significant risk to website security. Additionally, administrators should review user permissions and implement additional security measures such as web application firewalls and regular security audits to mitigate potential exploitation of this vulnerability across their WordPress installations.