CVE-2024-6340 in Premium Addons for Elementor Plugin
Summary
by MITRE • 07/03/2024
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 4.10.35 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/08/2026
The Premium Addons for Elementor plugin represents a widely used extension for WordPress websites, providing additional functionality through various widgets including the Countdown widget that has been identified as vulnerable to stored cross-site scripting attacks. This vulnerability affects all versions up to and including 4.10.35, creating a persistent security risk that can be exploited by attackers with relatively low privileges. The flaw stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase, specifically targeting the Countdown widget implementation that processes user-supplied attributes without proper validation or encoding.
The technical nature of this vulnerability allows authenticated attackers who possess contributor-level access or higher to inject malicious scripts into the plugin's Countdown widget configuration. When these malicious inputs are saved and subsequently rendered on web pages, the injected scripts execute in the context of other users who access those pages, creating a stored XSS attack vector. This type of vulnerability is particularly dangerous because the malicious code persists in the database and can affect multiple users without requiring them to perform any additional actions beyond visiting the affected page. The vulnerability aligns with CWE-79 which defines cross-site scripting as a common weakness in web applications where untrusted data is not properly sanitized before being included in web pages served to users.
The operational impact of this vulnerability extends beyond simple script execution as it can enable attackers to perform various malicious activities including session hijacking, credential theft, data exfiltration, and redirection to malicious websites. Since the vulnerability requires only contributor-level access, it represents a significant risk for WordPress sites where multiple users have editing privileges or where contributor accounts may be compromised. The stored nature of the attack means that even if the initial injection occurs during a brief period of time, the malicious code continues to execute for all users who access the affected pages until the vulnerability is patched and the malicious content is removed from the database.
Organizations and WordPress administrators should prioritize immediate remediation of this vulnerability through plugin updates to versions that address the input sanitization and output escaping deficiencies. The mitigation strategy should include implementing proper content security policies, regularly auditing user permissions to ensure that only trusted individuals have contributor-level access, and monitoring for suspicious activity in the plugin's widget configurations. This vulnerability demonstrates the importance of applying the principle of least privilege and maintaining up-to-date security practices, as it can be exploited through the ATT&CK technique of credential access through compromised accounts with elevated permissions. Security teams should also consider implementing web application firewalls and input validation rules that can help detect and prevent similar injection attacks in other parts of their WordPress installations.