Elementor Website Builder Vulnerability – More than Just a Page Builder – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Path Widget – CVE-2024-2117 |WordPress Plugin Vulnerability Report

Plugin Name: Elementor Website Builder – More than Just a Page Builder

Key Information:

  • Software Type: Plugin
  • Software Slug: elementor
  • Software Status: Active
  • Software Author: elemntor
  • Software Downloads: 401,702,579
  • Active Installs: 5,000,000
  • Last Updated: March 27, 2024
  • Patched Versions: 3.20.3
  • Affected Versions: <= 3.20.2

Vulnerability Details:

  • Name: Elementor Website Builder – More than Just a Page Builder <= 3.20.2
  • Title: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Path Widget
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-2117
  • CVSS Score: 6.4
  • Publicly Published: March 26, 2024
  • Researcher: Webbernaut
  • Description: The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Path Widget in all versions up to and including 3.20.2. This vulnerability arises from insufficient output escaping on user-supplied attributes, allowing authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts into pages. These scripts can execute whenever a user accesses an injected page, posing significant security risks.


The Elementor Website Builder for WordPress harbors a vulnerability in versions up to and including 3.20.2 that facilitates Stored Cross-Site Scripting through the plugin's Path Widget. This vulnerability has been addressed and fixed in version 3.20.3.

Detailed Overview:

This vulnerability, discovered by researcher Webbernaut, specifically targets the Path Widget of the Elementor Website Builder plugin. Due to insufficient output escaping, attackers with contributor-level access or higher can inject malicious scripts into web pages, leading to unauthorized script execution when those pages are viewed by other users. The potential for data theft, session hijacking, and other malicious activities through such script injections underscores the critical nature of this vulnerability. Following Webbernaut's discovery, the Elementor team promptly released version 3.20.3, which includes a patch to prevent such attacks.

Advice for Users:

  • Immediate Action: Update your Elementor Website Builder plugin to version 3.20.3 without delay to protect your site from potential exploits.
  • Check for Signs of Vulnerability: Monitor your website for unusual activity and review page contents for unexpected or malicious scripts, especially if using versions affected by this vulnerability.
  • Alternate Plugins: While the current issue has been patched, users may consider exploring other reputable page builder plugins as a precautionary measure.
  • Stay Updated: Regularly updating all your WordPress plugins and core software is crucial to maintaining a secure web presence and mitigating the risk of vulnerabilities.


The quick resolution of the vulnerability in the Elementor Website Builder plugin highlights the importance of prompt software updates. To safeguard your WordPress site against similar threats, it is essential to ensure that all plugins, especially widely used ones like Elementor, are kept up-to-date. Running version 3.20.3 or later of the Elementor plugin is now imperative for maintaining a secure and resilient WordPress environment.


Detailed Report: 

In the digital realm, the integrity of your website is paramount. The recent revelation of a vulnerability within the Elementor Website Builder plugin, a tool integral to over 5 million WordPress sites, casts a stark light on the perpetual battle for cyber security. The identified flaw, CVE-2024-2117, underscores a critical truth in the digital age: the necessity of constant vigilance and the immediacy of updating digital tools to safeguard against emerging threats.

Elementor Website Builder: A Pillar in Web Design

Elementor has revolutionized web design for many, offering a user-friendly interface that belies the complexity of its underlying technology. With more than 401 million downloads, its influence and utility are undeniable. However, this widespread adoption also makes it a significant target for exploitation.

The Vulnerability at Hand

CVE-2024-2117 exposes a vulnerability that allowed authenticated users with contributor-level access or higher to inject malicious scripts via the plugin's Path Widget. This DOM-Based Stored Cross-Site Scripting vulnerability, identified by the researcher Webbernaut, could lead to unauthorized script execution when an injected page is accessed. The implications of such an exploit are profound, ranging from data breaches to complete site compromise.

Understanding the Risks

The risks associated with this vulnerability extend beyond mere website dysfunction. They encompass potential data theft, privacy breaches, and the undermining of user trust. For small business owners, the ramifications could be particularly severe, affecting customer relationships and, ultimately, the bottom line.

Mitigating the Threat

The remediation for this vulnerability came with the release of patch version 3.20.3. For website owners, the immediate action should involve updating the Elementor plugin to this latest version. Beyond this specific incident, adopting a regimen of regular updates, monitoring site activity for anomalies, and being prepared with alternate plugin options can fortify a site's defenses against unforeseen vulnerabilities.

Historical Context

This is not Elementor's first encounter with security vulnerabilities; since 2017, there have been 30 reported issues. This history not only highlights the challenges inherent in maintaining complex software but also the importance of a proactive approach to web security.

The Imperative of Vigilance

For small business owners juggling myriad responsibilities, the demand for constant security oversight can seem daunting. Yet, the digital landscape waits for no one, and the cost of negligence can far exceed the effort of maintenance. Leveraging tools like automatic updates, subscribing to security advisories, and perhaps most importantly, fostering a culture of security within your organization, can make this task less burdensome.

In conclusion, the discovery of CVE-2024-2117 within the Elementor Website Builder plugin is a critical reminder of the ever-present need for vigilance in the digital age. For small business owners, the message is clear: the security of your WordPress site is integral to your business's success. Embracing a proactive approach to cybersecurity, prioritizing regular updates, and staying informed about potential vulnerabilities are not just best practices—they are essential strategies for safeguarding your digital presence in an increasingly interconnected world.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Elementor Website Builder Vulnerability – More than Just a Page Builder – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Path Widget – CVE-2024-2117 |WordPress Plugin Vulnerability Report FAQs

Leave a Comment