CVE-2024-2623

Vulnerability

The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress (versions up to and including 5.9.11) contains a stored cross-site scripting (XSS) vulnerability in the countdown widget's message parameter. The flaw arises from insufficient input sanitization and output escaping, enabling authenticated attackers with at least contributor access to inject arbitrary web scripts. The vulnerable code path is triggered when a user accesses a page containing an injected countdown widget [1].

Exploitation

An attacker must be authenticated to WordPress with contributor-level permissions or higher. They can create or edit a page or post using the Elementor editor and insert a countdown widget. By supplying a crafted payload in the message field, the malicious script is stored in the database. Any subsequent visitor viewing the affected page will have the script executed in their browser [1].

Impact

Successful exploitation leads to stored XSS, allowing the attacker to execute arbitrary JavaScript in the context of any user's session who visits the compromised page. This can result in session hijacking, cookie theft, phishing, or defacement. The attacker does not gain direct server access but can perform actions on behalf of the victim user [1].

Mitigation

The issue is resolved in version 5.9.12 of the Essential Addons for Elementor plugin. Administrators should update to the latest version available (currently 6.6.5) to ensure protection. No workaround other than updating is available. The plugin is actively maintained, and no EOL status applies. This CVE is not listed in the CISA Known Exploited Vulnerabilities catalog [1].