Colibri Page Builder Vulnerability – Authenticated Stored Cross-Site Scripting – CVE-2024-2839 | WordPress Plugin Vulnerability Report

Plugin Name: Colibri Page Builder

Key Information:

  • Software Type: Plugin
  • Software Slug: colibri-page-builder
  • Software Status: Active
  • Software Author: extendthemes
  • Software Downloads: 2,492,925
  • Active Installs: 100,000
  • Last Updated: April 2, 2024
  • Patched Versions: 1.0.270
  • Affected Versions: <= 1.0.263

Vulnerability Details:

  • Name: Colibri Page Builder <= 1.0.263
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-2839
  • CVSS Score: 6.4
  • Publicly Published: April 1, 2024
  • Researchers: Ngô Thiên An (ancorn_) - VNPT-VCI, Dau Hoang Tai - VCI
  • Description: The Colibri Page Builder plugin exhibits a Stored Cross-Site Scripting vulnerability through its 'colibri_post_title' shortcode, arising from inadequate sanitization of user-supplied attributes like 'heading_type'. This vulnerability empowers authenticated users with at least contributor-level access to embed harmful scripts that activate upon page viewing.


The widely-used Colibri Page Builder for WordPress contains a critical vulnerability in versions up to and including 1.0.263, identified as CVE-2024-2839. This flaw, involving Stored Cross-Site Scripting through a shortcode, compromises website safety, allowing attackers to execute unauthorized scripts. Fortuitously, this concern has been addressed in version 1.0.270, reinforcing the plugin's defenses.

Detailed Overview:

This vulnerability was unveiled by the keen analysis of security researchers Ngô Thiên An and Dau Hoang Tai, who pinpointed the risk within the 'colibri_post_title' shortcode. The lack of stringent input checks and output sanitization could lead to the injection of malicious scripts, jeopardizing both website integrity and user data. The update to version 1.0.270 is a crucial corrective step, patching this vulnerability and bolstering the plugin against similar security threats.

Advice for Users:

  • Immediate Action: It is imperative for users of the Colibri Page Builder plugin to update to the latest version, 1.0.270, without delay, effectively neutralizing this vulnerability.
  • Check for Signs of Vulnerability: Website administrators should vigilantly inspect their sites for anomalies or unauthorized modifications, indicators of potential exploitation.
  • Alternate Plugins: Although a patch is now available, users may still contemplate alternative page-building plugins offering comparable functionalities as a precautionary strategy.
  • Stay Updated: Consistently keeping all WordPress plugins updated is essential in safeguarding against vulnerabilities, ensuring a secure and reliable website environment.


The swift response by the developers of Colibri Page Builder to rectify this vulnerability highlights the paramount importance of maintaining updated software within the WordPress ecosystem. By ensuring the plugin is upgraded to version 1.0.270 or later, users can bolster their websites against the threats posed by CVE-2024-2839, securing their digital presence against potential cyber threats.


Detailed Report: 

In today's digital era, where websites act as the linchpin of many businesses, the sanctity of your online space is paramount. The revelation of a vulnerability in the Colibri Page Builder, a popular WordPress plugin, underscores the ever-present digital threats that loom over even the most benign tools. Identified as CVE-2024-2839, this vulnerability exposes the plugin to Authenticated Stored Cross-Site Scripting attacks, highlighting the indispensable need for diligent website maintenance and the prompt application of updates to mitigate such risks.

About the Colibri Page Builder Plugin:

Crafted by ExtendThemes, the Colibri Page Builder enhances WordPress sites with its intuitive design capabilities, boasting over 100,000 active installations. Its user-friendly interface has made it a favorite among website owners for crafting engaging web pages. However, like any software, it's not immune to vulnerabilities, as evidenced by the recent discovery.

Vulnerability Insights:

  • CVE-2024-2839: This vulnerability is present in versions up to and including 1.0.263 of the Colibri Page Builder plugin. It arises from insufficient sanitization of the 'colibri_post_title' shortcode's user-supplied attributes, such as 'heading_type', enabling attackers with contributor-level access to inject malicious scripts.
  • Impact: The exploitation of this vulnerability can lead to unauthorized actions being performed on behalf of users, data theft, and potentially compromising the entire website.

Mitigating the Vulnerability:

The developers responded swiftly to this threat by releasing patch version 1.0.270, which rectifies the vulnerability and fortifies the plugin against similar exploits. Users are urged to update to this latest version promptly to safeguard their sites.

Historical Context and Ongoing Vigilance:

This isn't the plugin's first encounter with security flaws, with six vulnerabilities reported since June 22, 2023. Such a history accentuates the critical nature of ongoing vigilance and the need for regular updates.


The discovery and subsequent rectification of CVE-2024-2839 in the Colibri Page Builder plugin serve as a poignant reminder of the cyber threats that perpetually shadow digital tools. For small business owners, who often juggle myriad responsibilities, understanding the significance of cybersecurity and implementing a routine for regular software updates can seem daunting. However, the potential repercussions of neglecting these practices—ranging from data breaches to significant reputational damage—underscore the necessity of prioritizing website security. Leveraging resources like automatic update features, employing reputable security plugins, and staying attuned to the latest in cybersecurity can help ensure that your WordPress site remains a secure and reliable asset for your business. In the digital realm, being proactive about security is not just beneficial; it's imperative for safeguarding your online presence.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Colibri Page Builder Vulnerability – Authenticated Stored Cross-Site Scripting – CVE-2024-2839 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment