Skip to main content

CVE-2024-9994: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wpdevteam Essential Addons for Elementor – Popular Elementor Templates and Widgets

Medium
VulnerabilityCVE-2024-9994cvecve-2024-9994cwe-79
Published: Sat Jun 07 2025 (06/07/2025, 11:17:49 UTC)
Source: CVE Database V5
Vendor/Project: wpdevteam
Product: Essential Addons for Elementor – Popular Elementor Templates and Widgets

Description

The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the eael_pricing_item_tooltip_content parameter of the Pricing Table Widget in all versions up to, and including, 6.1.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AI-Powered Analysis

AILast updated: 07/08/2025, 12:42:33 UTC

Technical Analysis

CVE-2024-9994 is a stored Cross-Site Scripting (XSS) vulnerability found in the WordPress plugin 'Essential Addons for Elementor – Popular Elementor Templates and Widgets,' developed by wpdevteam. This vulnerability specifically affects the Pricing Table Widget component, where the parameter 'eael_pricing_item_tooltip_content' does not properly sanitize or escape user-supplied input. As a result, authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code into pages. When other users visit these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the affected WordPress site. The vulnerability affects all plugin versions up to and including 6.1.12. The CVSS v3.1 base score is 6.4, indicating a medium severity level. The attack vector is network-based with low attack complexity, requiring privileges equivalent to contributor access but no user interaction is needed for exploitation. The scope is changed because the vulnerability allows an attacker to affect other users beyond their own privileges. No known exploits are currently reported in the wild, and no official patches have been linked yet. This vulnerability falls under CWE-79, which concerns improper neutralization of input during web page generation, a common cause of XSS issues.

Potential Impact

For European organizations using WordPress websites with the Essential Addons for Elementor plugin, this vulnerability poses a significant risk to website integrity and user trust. Attackers with contributor-level access—often content creators or editors—can inject malicious scripts that execute in the browsers of site visitors or administrators. This can lead to theft of authentication cookies, enabling session hijacking, unauthorized actions such as content defacement, or even further compromise of the website backend. Given the widespread use of WordPress and Elementor in Europe for corporate, governmental, and e-commerce websites, exploitation could result in reputational damage, data breaches involving personal data protected under GDPR, and potential financial losses. The vulnerability does not directly impact availability but compromises confidentiality and integrity. Since contributor-level access is required, the threat is somewhat mitigated by proper access controls, but insider threats or compromised contributor accounts increase risk. The lack of user interaction for exploitation means that once the malicious script is injected, any visitor to the affected page is at risk. This could also facilitate phishing or drive-by malware attacks targeting European users.

Mitigation Recommendations

European organizations should immediately audit their WordPress installations for the presence of the Essential Addons for Elementor plugin and verify the version in use. Until an official patch is released, organizations should restrict contributor-level permissions to trusted users only and consider temporarily disabling or removing the Pricing Table Widget functionality if feasible. Implementing Web Application Firewall (WAF) rules to detect and block suspicious script injections targeting the 'eael_pricing_item_tooltip_content' parameter can provide interim protection. Additionally, applying Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting the execution of unauthorized JavaScript. Regularly monitoring logs for unusual activity or unexpected content changes in pricing tables is recommended. Organizations should also educate content contributors about the risks of uploading untrusted content and enforce strong authentication mechanisms to prevent account compromise. Once a patch is available, prompt updating of the plugin is critical. Finally, conducting a thorough security review of user roles and permissions within WordPress can reduce the attack surface.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Wordfence
Date Reserved
2024-10-15T12:44:47.074Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68443c7f71f4d251b50d0029

Added to database: 6/7/2025, 1:19:59 PM

Last enriched: 7/8/2025, 12:42:33 PM

Last updated: 7/30/2025, 4:14:41 PM

Views: 11

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats