CVE-2024-9994: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wpdevteam Essential Addons for Elementor – Popular Elementor Templates and Widgets
The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the eael_pricing_item_tooltip_content parameter of the Pricing Table Widget in all versions up to, and including, 6.1.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Analysis
Technical Summary
CVE-2024-9994 is a stored Cross-Site Scripting (XSS) vulnerability found in the WordPress plugin 'Essential Addons for Elementor – Popular Elementor Templates and Widgets,' developed by wpdevteam. This vulnerability specifically affects the Pricing Table Widget component, where the parameter 'eael_pricing_item_tooltip_content' does not properly sanitize or escape user-supplied input. As a result, authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code into pages. When other users visit these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the affected WordPress site. The vulnerability affects all plugin versions up to and including 6.1.12. The CVSS v3.1 base score is 6.4, indicating a medium severity level. The attack vector is network-based with low attack complexity, requiring privileges equivalent to contributor access but no user interaction is needed for exploitation. The scope is changed because the vulnerability allows an attacker to affect other users beyond their own privileges. No known exploits are currently reported in the wild, and no official patches have been linked yet. This vulnerability falls under CWE-79, which concerns improper neutralization of input during web page generation, a common cause of XSS issues.
Potential Impact
For European organizations using WordPress websites with the Essential Addons for Elementor plugin, this vulnerability poses a significant risk to website integrity and user trust. Attackers with contributor-level access—often content creators or editors—can inject malicious scripts that execute in the browsers of site visitors or administrators. This can lead to theft of authentication cookies, enabling session hijacking, unauthorized actions such as content defacement, or even further compromise of the website backend. Given the widespread use of WordPress and Elementor in Europe for corporate, governmental, and e-commerce websites, exploitation could result in reputational damage, data breaches involving personal data protected under GDPR, and potential financial losses. The vulnerability does not directly impact availability but compromises confidentiality and integrity. Since contributor-level access is required, the threat is somewhat mitigated by proper access controls, but insider threats or compromised contributor accounts increase risk. The lack of user interaction for exploitation means that once the malicious script is injected, any visitor to the affected page is at risk. This could also facilitate phishing or drive-by malware attacks targeting European users.
Mitigation Recommendations
European organizations should immediately audit their WordPress installations for the presence of the Essential Addons for Elementor plugin and verify the version in use. Until an official patch is released, organizations should restrict contributor-level permissions to trusted users only and consider temporarily disabling or removing the Pricing Table Widget functionality if feasible. Implementing Web Application Firewall (WAF) rules to detect and block suspicious script injections targeting the 'eael_pricing_item_tooltip_content' parameter can provide interim protection. Additionally, applying Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting the execution of unauthorized JavaScript. Regularly monitoring logs for unusual activity or unexpected content changes in pricing tables is recommended. Organizations should also educate content contributors about the risks of uploading untrusted content and enforce strong authentication mechanisms to prevent account compromise. Once a patch is available, prompt updating of the plugin is critical. Finally, conducting a thorough security review of user roles and permissions within WordPress can reduce the attack surface.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Belgium, Sweden, Austria
CVE-2024-9994: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wpdevteam Essential Addons for Elementor – Popular Elementor Templates and Widgets
Description
The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the eael_pricing_item_tooltip_content parameter of the Pricing Table Widget in all versions up to, and including, 6.1.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI-Powered Analysis
Technical Analysis
CVE-2024-9994 is a stored Cross-Site Scripting (XSS) vulnerability found in the WordPress plugin 'Essential Addons for Elementor – Popular Elementor Templates and Widgets,' developed by wpdevteam. This vulnerability specifically affects the Pricing Table Widget component, where the parameter 'eael_pricing_item_tooltip_content' does not properly sanitize or escape user-supplied input. As a result, authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code into pages. When other users visit these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the affected WordPress site. The vulnerability affects all plugin versions up to and including 6.1.12. The CVSS v3.1 base score is 6.4, indicating a medium severity level. The attack vector is network-based with low attack complexity, requiring privileges equivalent to contributor access but no user interaction is needed for exploitation. The scope is changed because the vulnerability allows an attacker to affect other users beyond their own privileges. No known exploits are currently reported in the wild, and no official patches have been linked yet. This vulnerability falls under CWE-79, which concerns improper neutralization of input during web page generation, a common cause of XSS issues.
Potential Impact
For European organizations using WordPress websites with the Essential Addons for Elementor plugin, this vulnerability poses a significant risk to website integrity and user trust. Attackers with contributor-level access—often content creators or editors—can inject malicious scripts that execute in the browsers of site visitors or administrators. This can lead to theft of authentication cookies, enabling session hijacking, unauthorized actions such as content defacement, or even further compromise of the website backend. Given the widespread use of WordPress and Elementor in Europe for corporate, governmental, and e-commerce websites, exploitation could result in reputational damage, data breaches involving personal data protected under GDPR, and potential financial losses. The vulnerability does not directly impact availability but compromises confidentiality and integrity. Since contributor-level access is required, the threat is somewhat mitigated by proper access controls, but insider threats or compromised contributor accounts increase risk. The lack of user interaction for exploitation means that once the malicious script is injected, any visitor to the affected page is at risk. This could also facilitate phishing or drive-by malware attacks targeting European users.
Mitigation Recommendations
European organizations should immediately audit their WordPress installations for the presence of the Essential Addons for Elementor plugin and verify the version in use. Until an official patch is released, organizations should restrict contributor-level permissions to trusted users only and consider temporarily disabling or removing the Pricing Table Widget functionality if feasible. Implementing Web Application Firewall (WAF) rules to detect and block suspicious script injections targeting the 'eael_pricing_item_tooltip_content' parameter can provide interim protection. Additionally, applying Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting the execution of unauthorized JavaScript. Regularly monitoring logs for unusual activity or unexpected content changes in pricing tables is recommended. Organizations should also educate content contributors about the risks of uploading untrusted content and enforce strong authentication mechanisms to prevent account compromise. Once a patch is available, prompt updating of the plugin is critical. Finally, conducting a thorough security review of user roles and permissions within WordPress can reduce the attack surface.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-10-15T12:44:47.074Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68443c7f71f4d251b50d0029
Added to database: 6/7/2025, 1:19:59 PM
Last enriched: 7/8/2025, 12:42:33 PM
Last updated: 7/30/2025, 4:14:41 PM
Views: 11
Related Threats
CVE-2025-5468: CWE-61: UNIX Symbolic Link in Ivanti Connect Secure
MediumCVE-2025-5466: CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') in Ivanti Connect Secure
MediumCVE-2025-5456: CWE-125 Out-of-bounds Read in Ivanti Connect Secure
HighCVE-2025-3831: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. in checkpoint Check Point Harmony SASE
HighCVE-2025-5462: CWE-122 Heap-based Buffer Overflow in Ivanti Connect Secure
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.