CVE-2024-51575
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
A stored Cross-Site Scripting (XSS) vulnerability in Extender All In One For Elementor WordPress plugin (≤1.0.3) allows attackers to inject malicious scripts via unneutralized input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored Cross-Site Scripting (XSS) vulnerability in Extender All In One For Elementor WordPress plugin (≤1.0.3) allows attackers to inject malicious scripts via unneutralized input.
Vulnerability
Improper neutralization of user-supplied input during web page generation in the WordPress plugin 'Extender All In One For Elementor' (slug: extender-all-in-one-for-elementor) leads to a stored Cross-Site Scripting (XSS) flaw. The vulnerability affects all versions up to and including 1.0.3. The plugin has been closed/removed from the WordPress.org plugin directory due to an unfixed security issue [1].
Exploitation
An attacker with contributor-level access or higher (or any role that can submit content handled by the plugin) can inject a malicious XSS payload into input fields processed by the plugin. The script is stored on the server and executed in the browser of any user who views the affected page.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session, leading to session hijacking, defacement, or theft of sensitive data. The compromise occurs at the user's privilege level, but can chain with other attacks.
Mitigation
No patched version exists; the plugin has been removed from the official WordPress repository as of October 24, 2024, and is unavailable for download [1]. Users should immediately uninstall 'Extender All In One For Elementor' and replace it with an alternative solution. As of this writing the CVE is not listed on CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=1.0.3+ 1 more
- (no CPE)range: <=1.0.3
- (no CPE)range: <=1.0.3
Patches
0extender-all-in-one-for-elementorThis plugin has been removed from the WordPress.org directory on 2024-10-24 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.