CVE-2024-0585
Description
The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Filterable Gallery widget in all versions up to, and including, 5.9.4 due to insufficient input sanitization and output escaping on the Image URL. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Essential Addons for Elementor Filterable Gallery widget via insufficient sanitization of image URLs, affecting versions ≤5.9.4.
Vulnerability
The Essential Addons for Elementor plugin for WordPress (versions up to and including 5.9.4) contains a Stored Cross-Site Scripting (XSS) vulnerability in the Filterable Gallery widget. The issue arises from insufficient input sanitization and output escaping on the Image URL parameter, allowing malicious scripts to be stored and executed when a user visits a page containing the widget [1][2].
Exploitation
An authenticated attacker with at least contributor-level permissions can inject arbitrary web scripts by providing a crafted image URL in the Filterable Gallery widget settings. The injected script is stored in the WordPress database and executed in the browser of any user who accesses the affected page, without requiring any additional user interaction beyond normal page viewing [1].
Impact
Successful exploitation leads to Stored Cross-Site Scripting, enabling the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can result in session hijacking, defacement, or theft of sensitive information such as cookies or authentication tokens. The attack is performed with the privileges of the victim user, which could be an administrator if they view the compromised page [1].
Mitigation
The vulnerability is fixed in version 5.9.5 of the plugin, released on 2024-01-30 [2]. Users should update to version 5.9.5 or later immediately. No workarounds are available for earlier versions. The plugin is actively maintained, and the fix addresses the sanitization issue in the Filterable_Gallery.php file [2].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- cpe:2.3:a:wpdeveloper:essential_addons_for_elementor:*:*:*:*:*:wordpress:*:*Range: <=5.9.4
- Range: <=5.9.4
Patches
1r3022852Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.