CVE-2024-5092 in Elegant Addons for Elementor Plugin
Summary
by MITRE • 05/22/2024
The Elegant Addons for elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Switcher, Slider, and Iconbox widgets in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/28/2025
The Elegant Addons for Elementor plugin represents a popular extension for WordPress that enhances website functionality through various widgets including Switcher, Slider, and Iconbox components. This vulnerability affects all versions up to and including 10.8, creating a significant security risk for WordPress installations that rely on this plugin for their frontend presentation and user interaction elements. The flaw exists within the plugin's handling of user-supplied data within these specific widgets, where proper input validation and output sanitization mechanisms have been inadequately implemented.
The technical vulnerability manifests as a stored cross-site scripting flaw classified under CWE-079 - Improper Neutralization of Input During Web Page Generation. Attackers with contributor-level access or higher can exploit this weakness by injecting malicious scripts through the plugin's interface when configuring these widgets. The vulnerability occurs because the plugin fails to properly sanitize user input before storing it in the database and subsequently outputting it to web pages without adequate escaping mechanisms. This allows attackers to persist malicious code within the plugin's data storage system, making the attack vector particularly dangerous as the scripts execute automatically whenever any user accesses pages containing the compromised widget content.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to perform various malicious activities including session hijacking, credential theft, data exfiltration, and redirection to malicious websites. Since the vulnerability requires only contributor-level access, it represents a significant risk for WordPress sites where multiple users have editing privileges, potentially including clients, content managers, or other trusted individuals who may not be security-aware. The stored nature of the vulnerability means that once injected, malicious scripts persist indefinitely until manually removed, creating a long-term threat vector that can compromise any user who views affected pages.
Mitigation strategies should include immediate patching to version 1.0.9 or later where the sanitization issues have been addressed. Administrators should also implement strict access controls limiting contributor-level privileges to trusted individuals only, while monitoring plugin usage for suspicious activity. The vulnerability aligns with ATT&CK technique T1548.003 - Abuse Elevation Control Mechanism, as it allows privilege escalation through the exploitation of user access levels. Additionally, implementing Content Security Policy headers can provide an additional layer of protection against script execution, though this should not replace proper input validation and sanitization. Regular security audits of WordPress plugins and maintaining updated security practices remain essential defensive measures against similar vulnerabilities in the plugin ecosystem.