CVE-2024-8546 in ElementsKit Elementor Addons Plugin
Summary
by MITRE • 09/25/2024
The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Video widget in all versions up to, and including, 3.2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/09/2025
The CVE-2024-8546 vulnerability affects the ElementsKit Elementor addons plugin for WordPress, specifically targeting the Video widget functionality across all versions up to and including 3.2.7. This represents a critical security flaw that exploits stored cross-site scripting vulnerabilities within the plugin's codebase. The vulnerability arises from inadequate input sanitization and output escaping mechanisms that fail to properly validate or escape user-supplied attributes before they are stored and subsequently executed within web pages. Security researchers have identified this as a significant risk to WordPress installations that utilize the affected plugin, particularly when users with contributor-level privileges or higher gain access to the administrative interface.
The technical flaw manifests when authenticated attackers with contributor-level access and above leverage the Video widget's attribute handling to inject malicious scripts that persist in the database. These stored scripts become executable whenever any user accesses a page containing the compromised widget, creating a persistent threat vector that can affect all users who view the affected content. The vulnerability's impact is amplified by the fact that contributors typically have sufficient privileges to modify content and add widgets to pages, making this attack vector particularly concerning for multi-user WordPress environments. This flaw directly aligns with CWE-79, which describes cross-site scripting vulnerabilities resulting from insufficient sanitization of user-supplied input data.
The operational impact of CVE-2024-8546 extends beyond simple script execution, as it enables attackers to perform various malicious activities including but not limited to session hijacking, data theft, and redirection to malicious websites. The vulnerability's exploitation requires minimal privileges, making it particularly dangerous in environments where contributor accounts may be compromised or where privilege escalation occurs. Attackers can craft malicious payloads that appear legitimate to end users, potentially leading to widespread infection across a WordPress site's user base. This vulnerability also aligns with ATT&CK technique T1566, which covers social engineering tactics involving the exploitation of web applications to execute malicious code in the context of a victim's browser session.
Organizations affected by this vulnerability should immediately implement mitigations including updating to the latest version of the ElementsKit plugin where available, applying the vendor's patch, and conducting comprehensive security audits of all user accounts with contributor-level access or higher. Additional protective measures should include implementing strict input validation mechanisms, monitoring for unauthorized content modifications, and establishing robust privilege management policies. Security teams should also consider implementing web application firewalls to detect and block malicious script injections, while conducting regular penetration testing to identify similar vulnerabilities across other installed plugins and themes. The vulnerability demonstrates the critical importance of proper input sanitization and output escaping in web applications, particularly those handling user-generated content in content management systems.