Elementor Plugin Vulnerable to Stored Cross-Site Scripting

CVE-2024-8440

What is CVE-2024-8440?

CVE-2024-8440 is a vulnerability found in the Essential Addons for Elementor plugin, a widely used extension for WordPress that enhances the functionality of the Elementor page builder. This vulnerability specifically relates to Stored Cross-Site Scripting (XSS) and affects all versions of the plugin up to and including 6.0.3. The issue arises from inadequate input sanitization and output escaping on user-supplied attributes within the plugin's Fancy Text widget. As a result, authenticated attackers with contributor-level access or higher can inject malicious web scripts into pages. These injected scripts then execute whenever a user accesses the compromised page, potentially leading to session hijacking, defacement, or the distribution of malicious content, which can be particularly damaging to organizational reputation and security.

Potential impact of CVE-2024-8440

• Data Theft and Unauthorized Access: The vulnerability allows attackers to execute scripts that can steal sensitive information, such as user credentials and data, by capturing input or cookies from users who visit the affected pages.

• Website Defacement and Manipulation: By injecting arbitrary scripts, attackers can modify the content displayed to users. This could harm the organization's brand image and user trust, leading to a loss of customers and revenue.

• Propagation of Malware: Once an attacker gains access through the exploited vulnerability, they can deploy malware or redirect users to malicious sites, which can result in widespread compromise of users and systems interacting with the vulnerable website.

References