Elementor Addon Elements < 1.13.2 – Contributor+ Stored XSS | CVE 2024-2091 | Plugin Vulnerabilities

Description

The plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

addon-elements-for-elementor-page-builder

Fixed in 1.13.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/18e2e0e5-495f-4f55-b7d8-94193fc2ad12

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

wesley (wcraft)

Verified

No

WPVDB ID

82b5ff01-e53a-4498-bc44-a6ed10dc2d75

Timeline

Publicly Published

2024-03-27 (about 2 years ago)

Added

2024-03-27 (about 2 years ago)

Last Updated

2024-03-27 (about 2 years ago)

Other

Published

Title

Published

2025-01-18

Title

Tiki Time <= 1.3 - Reflected Cross-Site Scripting

Published

2024-04-20

Title

Event Tickets with Ticket Scanner < 2.3.8 - Admin+ Stored XSS

Published

2024-05-06

Title

Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library ) < 1.1.38 - Authenticated (Contributor+) Stored Cross-Site Scripting via Text Effect Widget

Published

2025-09-03

Title

WP Flow Plus < 5.2.6 - Authenticated (Author+) Stored Cross-Site Scripting

Published

2026-04-07

Title

LearnPress < 4.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'skin' Shortcode Attribute