CVE-2024-5251 in Ultimate Addons for WPBakery Page Builder Plugin
Summary
by MITRE • 07/17/2024
The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ultimate_pricing shortcode in all versions up to, and including, 3.19.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/18/2025
The vulnerability identified as CVE-2024-5251 affects the Ultimate Addons for WPBakery plugin, a popular WordPress plugin that extends the functionality of the WPBakery Page Builder. This particular flaw exists within the ultimate_pricing shortcode implementation and represents a critical stored cross-site scripting vulnerability that impacts all versions up to and including 3.19.20. The vulnerability stems from inadequate input sanitization and output escaping mechanisms that fail to properly validate or escape user-supplied attributes before processing them within the shortcode functionality.
The technical exploitation of this vulnerability requires an authenticated attacker possessing contributor-level access or higher within the WordPress environment. This access level allows the malicious user to insert malicious scripts through the plugin's shortcode interface, where these scripts are then stored within the WordPress database. When other users, including administrators or editors, access pages containing the compromised shortcode, the injected JavaScript code executes in their browsers, creating a persistent threat vector that can affect multiple users over time. The vulnerability operates at the application layer and specifically targets the plugin's handling of user input through the ultimate_pricing shortcode parameter processing.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform various malicious activities including credential theft, session hijacking, data exfiltration, and privilege escalation within the compromised WordPress environment. The stored nature of the vulnerability means that once injected, the malicious scripts persist until manually removed by administrators, making it particularly dangerous as it can affect all users who view affected pages without requiring repeated exploitation attempts. This vulnerability aligns with CWE-79 - Improper Neutralization of Input During Web Page Generation, which specifically addresses cross-site scripting flaws in web applications, and represents a clear violation of secure coding practices that should prevent user input from being directly rendered without proper sanitization.
The attack surface for this vulnerability is significant given the widespread adoption of both WordPress and the Ultimate Addons for WPBakery plugin across various websites and organizations. Security practitioners should note that the vulnerability requires minimal privileges to exploit, making it particularly concerning for environments where contributor-level accounts may be compromised or where user access controls are not properly enforced. The ATT&CK framework categorizes this vulnerability under T1566 - Phishing and T1059 - Command and Scripting Interpreter, as it enables attackers to establish persistent access through malicious script injection that can be used for further compromise of the WordPress environment. Organizations should implement immediate mitigation strategies including plugin updates to versions that address this vulnerability, along with monitoring for suspicious shortcode usage and implementing additional access controls to limit contributor-level privileges where possible.