The Essential Addons for Elementor plugin, widely used to enhance WordPress sites with additional templates, widgets, and WooCommerce builders, contains a stored cross-site scripting vulnerability identified as CVE-2024-9994. This vulnerability is due to insufficient sanitization and escaping of user-supplied input in the eael_pricing_item_tooltip_content parameter of the Pricing Table Widget. Specifically, authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially allowing attackers to steal session cookies, perform actions on behalf of users, or deface site content. The vulnerability affects all plugin versions up to and including 6.1.12. The CVSS 3.1 base score of 6.4 reflects that the attack can be launched remotely over the network with low complexity but requires authenticated access, and no user interaction is needed for exploitation. The scope is changed because the vulnerability affects resources beyond the attacker’s privileges, impacting other users. No patches or official fixes are currently linked, and no known exploits have been reported in the wild, but the widespread use of this plugin in WordPress sites makes it a significant risk. The vulnerability falls under CWE-79, a common and dangerous web application security flaw. Attackers exploiting this vulnerability could compromise site integrity and confidentiality, potentially leading to broader attacks such as privilege escalation or persistent site compromise.

The primary impact of CVE-2024-9994 is the compromise of confidentiality and integrity of affected WordPress sites using the Essential Addons for Elementor plugin. Attackers with contributor-level access can inject malicious scripts that execute in the context of other users’ browsers, enabling session hijacking, credential theft, unauthorized actions, or defacement. This can erode user trust, damage brand reputation, and lead to data breaches. Although availability is not directly impacted, the indirect effects such as site defacement or administrative account compromise could disrupt normal operations. Organizations relying on this plugin, especially those with multiple contributors or editors, face increased risk of insider threats or compromised contributor accounts being leveraged for attacks. The vulnerability’s network accessibility and lack of required user interaction increase the likelihood of exploitation once an attacker gains contributor access. Given the popularity of Elementor and its addons, a large number of WordPress sites globally are potentially exposed, including e-commerce, corporate, and media websites.

To mitigate CVE-2024-9994, organizations should immediately upgrade the Essential Addons for Elementor plugin to a version that addresses this vulnerability once available. Until a patch is released, restrict contributor-level access to trusted users only and audit existing contributor accounts for suspicious activity. Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the eael_pricing_item_tooltip_content parameter. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly monitor website logs for unusual input patterns or script injections. Educate site administrators and contributors about the risks of XSS and safe content input practices. Additionally, consider disabling or limiting the use of the Pricing Table Widget if feasible. Conduct thorough security reviews of all third-party plugins and maintain a strict plugin update policy to reduce exposure to similar vulnerabilities.