Elementor Addon Elements Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-2091 |WordPress Plugin Vulnerability Report

Plugin Name: Elementor Addon Elements

Key Information:

  • Software Type: Plugin
  • Software Slug: addon-elements-for-elementor-page-builder
  • Software Status: Active
  • Software Author: webtechstreet
  • Software Downloads: 2,523,308
  • Active Installs: 100,000
  • Last Updated: March 26, 2024
  • Patched Versions: 1.13.2
  • Affected Versions: <= 1.13.1

Vulnerability Details:

  • Name: Elementor Addon Elements <= 1.13.1 Authenticated (Contributor+) Stored Cross-Site Scripting
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
  • CVE: CVE-2024-2091
  • CVSS Score: 5.4
  • Publicly Published: March 26, 2024
  • Researcher: Wesley
  • Description: The Elementor Addon Elements plugin, a popular extension for the Elementor Page Builder, has been identified as vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to 1.13.1. This vulnerability stems from the plugin's lack of proper input sanitization and output escaping, enabling attackers with contributor-level access or higher to inject harmful scripts into web pages, which are then executed when accessed by unsuspecting users.


The Elementor Addon Elements plugin for WordPress harbors a significant security flaw in versions up to and including 1.13.1, exposing sites to potential Stored Cross-Site Scripting attacks. This vulnerability, addressed in version 1.13.2, underscores the importance of maintaining up-to-date security measures within WordPress plugins.

Detailed Overview:

Discovered by the security researcher Wesley, this XSS vulnerability within the Elementor Addon Elements plugin presents a clear and present danger to WordPress sites using affected versions. By exploiting the insufficient input sanitization of the plugin's widgets, authenticated users with sufficient permissions can embed arbitrary scripts into pages. Such scripts could compromise user data, hijack sessions, or redirect users to malicious sites, highlighting the critical nature of this vulnerability.

Advice for Users:

  • Immediate Action: Users of the Elementor Addon Elements plugin should promptly update to the patched version 1.13.2 to mitigate the risk posed by this vulnerability.
  • Check for Signs of Vulnerability: Site administrators are encouraged to review their sites for unusual content changes or unexpected script executions, indicative of a potential XSS exploit.
  • Alternate Plugins: While the latest patch rectifies the XSS vulnerability, users may consider alternative Elementor addons that offer similar functionality but with a robust security track record as an added precaution.
  • Stay Updated: Ensuring that all WordPress themes, plugins, and the core system are up to date is paramount in safeguarding against known vulnerabilities and enhancing site security.


The swift response by the developers of the Elementor Addon Elements plugin in releasing a patch for the XSS vulnerability highlights the critical role of ongoing vigilance and timely updates in the digital landscape. By adhering to best practices for security, including regular updates and thorough site monitoring, WordPress site owners can significantly mitigate the risk of exploitation and ensure a secure environment for their users.


Detailed Report: 

In today's digital age, where websites act as the digital storefronts for businesses, the importance of cybersecurity cannot be overstated. The discovery of a Stored Cross-Site Scripting (XSS) vulnerability in the Elementor Addon Elements plugin, tagged as CVE-2024-2091, is a stark reminder of the continuous battle against digital threats. This vulnerability not only highlights the need for constant vigilance but also the critical importance of keeping website components up to date to shield against potential security breaches that could compromise user data and trust.

Elementor Addon Elements: A Snapshot

The Elementor Addon Elements plugin is a popular extension for the Elementor Page Builder, known for its ability to enhance WordPress sites with additional functionality. Developed by webtechstreet, the plugin boasts an impressive tally of over 2.5 million downloads and sustains 100,000 active installations. Despite its popularity and utility, the plugin's recent vulnerability has raised concerns within the WordPress community.

Understanding the Vulnerability: CVE-2024-2091

CVE-2024-2091 exposes a significant security flaw in versions of the Elementor Addon Elements plugin up to 1.13.1. This vulnerability allows authenticated users with at least contributor-level access to inject malicious scripts into web pages via the plugin's widgets. Such actions could lead to unauthorized data access, session hijacking, or redirecting users to malicious sites, underlining the gravity of this issue.

Risks and Potential Impacts

The potential impacts of CVE-2024-2091 are multifaceted, ranging from compromised site integrity to breaches of user privacy. For small business owners, the repercussions extend beyond the digital realm, potentially affecting customer trust and business reputation. In an environment where data is king, the security of user information is paramount.

Remediation and Proactive Measures

In response to CVE-2024-2091, the developers have released an update, version 1.13.2, that addresses and patches the vulnerability. Site administrators are urged to apply this update promptly to protect their sites. Beyond this immediate action, regularly reviewing site components for updates and potential vulnerabilities is essential in maintaining a secure online presence.

A History of Vulnerabilities

The Elementor Addon Elements plugin has encountered 17 vulnerabilities since September 2020, reflecting the ongoing security challenges faced by digital platforms. Each vulnerability serves as a learning opportunity and a reminder of the importance of continuous monitoring and updating in the digital security landscape.

The Importance of Staying Informed

For small business owners juggling numerous responsibilities, the task of maintaining a secure website can seem overwhelming. However, the consequences of overlooking website security can be far more burdensome. Staying informed about vulnerabilities and updates, leveraging security plugins, and considering professional cybersecurity assistance are pivotal steps in safeguarding your digital presence. In an era where threats evolve rapidly, the commitment to cybersecurity is not just a technical necessity but a fundamental business practice to protect your assets and your customers.

In conclusion, the case of CVE-2024-2091 within the Elementor Addon Elements plugin underscores the ever-present need for diligence in the digital domain. For small business owners, the integrity of a WordPress site is not merely a component of their digital strategy but the bedrock upon which their online reliability and reputation rest. Proactively managing and updating website security measures is not just about preventing breaches; it's about ensuring the longevity and success of your digital footprint in the ever-expanding online marketplace.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Elementor Addon Elements Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-2091 |WordPress Plugin Vulnerability Report FAQs

Leave a Comment