CVE-2024-5790 in Happy Addons for Elementor Plugin
Summary
by MITRE • 06/29/2024
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ attribute within the plugin's Gradient Heading widget in all versions up to, and including, 3.11.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/21/2025
The vulnerability identified as CVE-2024-5790 affects the Happy Addons for Elementor WordPress plugin, specifically targeting the Gradient Heading widget functionality. This represents a critical security flaw that enables persistent cross-site scripting attacks, where malicious scripts can be stored and executed against unsuspecting users. The vulnerability exists in all plugin versions up to and including 3.11.1, making it a widespread concern for WordPress sites utilizing this popular elementor addon. The flaw stems from inadequate input validation and output sanitization measures within the plugin's codebase, creating a pathway for attackers to inject malicious JavaScript code that persists in the database.
The technical exploitation of this vulnerability occurs through the 'url' attribute parameter within the Gradient Heading widget. When authenticated attackers with Contributor-level privileges or higher manipulate this specific input field, they can inject malicious scripts that get stored in the WordPress database. These stored scripts execute every time a user accesses a page containing the compromised widget, creating a persistent threat vector that can affect any user who views the affected content. This type of vulnerability falls under CWE-79 which specifically addresses Cross-Site Scripting flaws, and demonstrates how insufficient sanitization of user inputs can create lasting security risks. The attack vector operates through the standard WordPress plugin architecture where user-generated content is rendered without proper security measures.
The operational impact of CVE-2024-5790 extends beyond simple script execution, as it can enable attackers to perform various malicious activities including session hijacking, credential theft, and data exfiltration. Since the vulnerability requires only Contributor-level access, it represents a significant risk for WordPress sites where multiple users have editing privileges, as attackers can exploit this weakness without requiring administrator credentials. The stored nature of the vulnerability means that even after the initial attack, the malicious scripts continue to execute against all users who access the compromised pages, potentially affecting hundreds or thousands of site visitors. This persistent threat can be leveraged for phishing attacks, defacement of content, or redirection to malicious websites, making it particularly dangerous for business-critical WordPress installations. The vulnerability aligns with ATT&CK technique T1566 which covers spearphishing with a malicious attachment, though in this case the attack vector is through content manipulation rather than file attachment.
Organizations affected by this vulnerability should immediately update to the latest version of the Happy Addons plugin where the XSS flaw has been patched. Security administrators should also conduct thorough audits of all pages containing the Gradient Heading widget to identify and remove any malicious scripts that may have been injected. Additionally, implementing proper input validation and output escaping measures within the WordPress plugin architecture can help prevent similar vulnerabilities from occurring in the future. The remediation process should include monitoring for unauthorized access attempts and conducting regular security assessments of all active plugins to ensure they meet current security standards and do not introduce XSS vulnerabilities. Given the nature of the vulnerability and its potential for persistent exploitation, immediate action is required to protect WordPress sites from this specific threat vector.