ElementsKit Elementor addons Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-1239 | WordPress Plugin Vulnerability Report

Plugin Name: ElementsKit Elementor addons

Key Information:

  • Software Type: Plugin
  • Software Slug: elementskit-lite
  • Software Status: Active
  • Software Author: xspeedstudio
  • Software Downloads: 16,983,084
  • Active Installs: 1,000,000
  • Last Updated: March 19, 2024
  • Patched Versions: 3.0.5
  • Affected Versions: <= 3.0.4

Vulnerability Details:

  • Name: ElementsKit Elementor addons <= 3.0.4
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-1239
  • CVSS Score: 6.4
  • Publicly Published: March 15, 2024
  • Researcher: RandomRoot
  • Description: The ElementsKit Elementor addons plugin for WordPress contains a Stored Cross-Site Scripting vulnerability in versions up to and including 3.0.4. The issue arises from inadequate input sanitization and output escaping associated with the blog post 'read more' button. This flaw allows attackers with contributor-level access or higher to inject malicious scripts into web pages, which are then executed when other users view the affected pages.


The ElementsKit Elementor addons for WordPress exhibit a security flaw in versions up to and including 3.0.4, characterized by Stored Cross-Site Scripting via the blog post 'read more' button. This vulnerability, identified as CVE-2024-1239, has been resolved in version 3.0.5.

Detailed Overview:

Discovered by the security researcher RandomRoot, this vulnerability specifically targets the insufficient sanitization and escaping of user inputs related to the 'read more' button in blog posts. The exploit requires the attacker to have at least contributor-level access to the WordPress site, enabling them to embed malicious scripts into pages. These scripts can then perform unauthorized actions on behalf of users viewing the injected content, posing significant security risks including data theft and site compromise.

Advice for Users:

  • Immediate Action: It is imperative for users to update their ElementsKit Elementor addons plugin to version 3.0.5 without delay.
  • Check for Signs of Vulnerability: Administrators should review their site's pages for unusual content or scripts, particularly in blog posts, and audit user roles to ensure only trusted users have content creation privileges.
  • Alternate Plugins: While the current vulnerability has been patched, users may consider exploring alternative Elementor addons that offer similar functionality, especially if frequent security concerns arise.
  • Stay Updated: Regularly updating all WordPress components, including plugins and themes, is crucial for maintaining site security and preventing future vulnerabilities.


The swift response from the developers of ElementsKit Elementor addons in addressing this vulnerability highlights the critical nature of maintaining up-to-date software on your WordPress site. By updating to version 3.0.5 or later, users can protect their websites from potential exploitation through this Stored Cross-Site Scripting vulnerability.


Detailed Report: 

In the bustling digital marketplace, your website acts as the frontline of your business, making its security paramount. The revelation of a security vulnerability in the ElementsKit Elementor addons plugin, known as CVE-2024-1239, highlights a critical challenge many website owners face: the constant vigilance required to safeguard their digital presence. This vulnerability not only underscores the risks associated with outdated plugins but also serves as a call to action for maintaining up-to-date site components.

ElementsKit Elementor Addons: A Staple for Creativity

The ElementsKit Elementor addons plugin is a cornerstone for many WordPress users, enabling them to craft dynamic websites with ease. Developed by xspeedstudio, this plugin boasts over 16 million downloads and powers 1 million active installations. Its versatility and user-friendly interface have made it a favorite among small business owners, bloggers, and digital creators alike.

Unveiling the Vulnerability: CVE-2024-1239

Discovered by the researcher RandomRoot, CVE-2024-1239 is a Stored Cross-Site Scripting (XSS) vulnerability present in ElementsKit versions up to 3.0.4. This flaw arises from insufficient input sanitization and output escaping within the plugin's 'read more' button feature. Consequently, attackers with contributor-level access can inject malicious scripts into web pages, compromising the site's integrity and putting user data at risk.

The Risks: Data Breaches and Beyond

The implications of this vulnerability are far-reaching. Exploited sites may face unauthorized access, data theft, and even complete site compromise. For small businesses, the resultant damage can extend beyond the digital realm, affecting customer trust and financial stability.

Remediation: Securing Your Site

In response to this threat, xspeedstudio released a patched version of the plugin, 3.0.5, which addresses the vulnerability. Website owners are urged to update their ElementsKit Elementor addons plugin immediately to secure their sites. Additionally, monitoring user roles and privileges, along with regular security audits, can prevent future exploits.

A History of Challenges: Previous Vulnerabilities

This isn't the first time ElementsKit has faced security challenges. Since April 2021, five other vulnerabilities have been reported, highlighting the ongoing battle against cyber threats. These instances reinforce the need for constant vigilance and regular updates in the digital security landscape.

Staying Ahead: The Imperative of Proactive Security

For small business owners juggling myriad responsibilities, staying abreast of every security update can seem overwhelming. However, the cost of neglecting website security can be devastating. Implementing automated updates, utilizing managed WordPress hosting services, and partnering with cybersecurity experts can alleviate the burden and ensure your site remains fortified against threats.

In conclusion, the CVE-2024-1239 vulnerability within the ElementsKit Elementor addons plugin serves as a stark reminder of the ever-present cyber threats in the digital landscape. For small business owners, the key to safeguarding your digital storefront lies in proactive security measures and regular maintenance. By prioritizing the security of your WordPress site, you protect not only your digital assets but also the trust and loyalty of your customers. In the realm of digital security, prevention is always better than cure.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

ElementsKit Elementor addons Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-1239 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment