Elementor Header & Footer Builder < 1.6.27 – Authenticated (Author+) HTML Injection | CVE 2024-2619 | Plugin Vulnerabilities

Description

The Elementor Header & Footer Builder for WordPress is vulnerable to HTML Injection in all versions up to, and including, 1.6.26 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level permissions and above, to inject arbitrary HTML in pages that will be shown whenever a user accesses an injected page.

Affects Plugins

header-footer-elementor

Fixed in 1.6.27

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/689eb95b-2f72-4aa4-9f21-6ae186346061

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

wesley (wcraft)

Verified

No

WPVDB ID

a262227b-6c2b-4093-9af1-14fcb7569f24

Timeline

Publicly Published

2024-05-16 (about 1 year ago)

Added

2024-05-17 (about 1 year ago)

Last Updated

2024-05-17 (about 1 year ago)

Other

Published

Title

Published

2026-03-18

Title

Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms < 1.2.3 - Missing Authorization

Published

2025-12-27

Title

Crowdsignal Forms < 1.8.0 - Missing Authorization

Published

2024-03-12

Title

Blossom Spa < 1.3.5 - Sensitive Information Exposure

Published

2024-08-16

Title

InPost for WooCommerce <= 1.4.0 and InPost PL <= 1.4.4 - Missing Authorization to Unauthenticated Arbitrary File Read and Delete

Published

2025-12-23

Title

Brave < 0.8.4 - Missing Authorization