Stored Cross-Site Scripting in ElementsKit for WordPress
CVE-2024-11180
6.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 29 March 2025
What is CVE-2024-11180?
The ElementsKit Elementor addons plugin for WordPress has a vulnerability that could allow authenticated attackers with Contributor-level access and above to perform Stored Cross-Site Scripting via the Countdown Timer Widget. The vulnerability arises from inadequate input sanitization and output escaping in the ekit_countdown_timer_title
parameter, enabling the injection of arbitrary web scripts into pages. These scripts execute whenever a user accesses the compromised pages, posing significant risks to site integrity and user data.
Affected Version(s)
ElementsKit Elementor Addons and Templates * <= 3.4.7