CVE-2024-4329
Description
Stored XSS in Thim Elementor Kit WordPress plugin via unsanitized 'id' parameter allows contributor-level attackers to inject arbitrary scripts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Thim Elementor Kit WordPress plugin via unsanitized 'id' parameter allows contributor-level attackers to inject arbitrary scripts.
Vulnerability
The Thim Elementor Kit plugin for WordPress versions up to and including 1.1.9 suffers from a stored cross-site scripting (XSS) vulnerability in the search-form.php widget. The id parameter is not properly sanitized or escaped before being output, allowing injection of arbitrary HTML and JavaScript. The vulnerable code is located in inc/elementor/widgets/global/search-form.php at line 819 [1].
Exploitation
An authenticated attacker with at least contributor-level access can inject malicious scripts via the id parameter when creating or editing a page using the Elementor builder. The injected script will be stored and executed when any user, including administrators, visits the affected page.
Impact
Successful exploitation leads to stored XSS, enabling the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can result in session hijacking, defacement, or theft of sensitive information.
Mitigation
The vendor released version 1.1.9.1 which fixes the issue. Users should update to the latest version. No workarounds are provided in the available references.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=1.1.9+ 1 more
- (no CPE)range: <=1.1.9
- (no CPE)range: <=1.1.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.