Jeg Elementor Kit Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget – CVE-2024-3161 | WordPress Plugin Vulnerability Report

Plugin Name: Jeg Elementor Kit

Key Information:

  • Software Type: Plugin
  • Software Slug: jeg-elementor-kit
  • Software Status: Active
  • Software Author: jegtheme
  • Software Downloads: 1,207,029
  • Active Installs: 200,000
  • Last Updated: May 10, 2024
  • Patched Versions: 2.6.5
  • Affected Versions: <= 2.6.4

Vulnerability Details:

  • Name: Jeg Elementor Kit <= 2.6.4
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-3161
  • CVSS Score: 6.4
  • Publicly Published: April 30, 2024
  • Researcher: Webbernaut
  • Description: The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) through the countdown widget's attributes in all versions up to and including 2.6.4. This vulnerability arises due to insufficient input sanitization and output escaping, allowing authenticated attackers with contributor access or higher to inject arbitrary web scripts that execute whenever a user accesses an injected page.


The Jeg Elementor Kit for WordPress has a vulnerability in versions up to and including 2.6.4 that enables attackers with contributor-level access to execute stored cross-site scripting via the countdown widget. This vulnerability has been patched in version 2.6.5.

Detailed Overview:

Stored Cross-Site Scripting (XSS) vulnerabilities such as this one allow attackers to persistently embed malicious scripts into web pages viewed by other users, potentially leading to unauthorized data access, session hijacking, and malicious redirection. The specific vulnerability in Jeg Elementor Kit was discovered by the researcher Webbernaut and involves insufficient security controls on the plugin’s countdown widget attributes. The risk posed by this vulnerability is significant, given that the malicious script will persist on the website, affecting all users viewing the infected page until the issue is resolved by removing the malicious content or updating the plugin.

Advice for Users:

  • Immediate Action: Update to the patched version, 2.6.5, immediately.
  • Check for Signs of Vulnerability: Administrators should review their website pages for any unusual scripts or unexpected behavior, particularly in pages incorporating the countdown widget.
  • Alternate Plugins: While an update is available, users may consider evaluating other reputable plugins that offer similar functionalities but have a strong focus on security.
  • Stay Updated: Regular updates are crucial in maintaining security; always ensure your plugins are up to date to prevent vulnerabilities.


The prompt resolution of the XSS vulnerability in the Jeg Elementor Kit by its developers highlights the ongoing need for vigilance in software maintenance. It is essential for users to install updates as soon as they are available to protect against such vulnerabilities. Ensuring that your WordPress installation, including all plugins and themes, is up to date is one of the simplest yet most effective strategies to secure your website.


Detailed Report: 

In today’s digital landscape, maintaining the security of your website is as crucial as the content you host. The recent discovery of a Stored Cross-Site Scripting (XSS) vulnerability in the Jeg Elementor Kit, a widely used WordPress plugin, underscores this point dramatically. Labeled CVE-2024-3161, this flaw exposes sites to potential data breaches and unauthorized control by allowing attackers with merely contributor-level access to inject harmful scripts. This incident is not isolated, with six vulnerabilities reported since November 2022, emphasizing a recurring risk theme. Such vulnerabilities not only jeopardize user trust but can also inflict long-term damage to your online presence. However, the situation is far from dire. With the right practices, particularly timely updates and vigilant monitoring, you can protect your site effectively. This post aims to navigate the complexities of this specific vulnerability, offering actionable steps for mitigation and highlighting the critical role of consistent updates in fortifying website security.

Plugin Overview: Jeg Elementor Kit

Jeg Elementor Kit is a versatile WordPress plugin designed to enhance site aesthetics with advanced layout options. As of May 2024, it has over 1.2 million downloads and 200,000 active installs, demonstrating its popularity and widespread use.

Detailed Vulnerability Report

  • Vulnerability Name: Jeg Elementor Kit <= 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
  • CVE Identifier: CVE-2024-3161
  • Risk Assessment: CVSS Score 6.4, indicating a significant risk due to the ability for authenticated attackers to inject arbitrary web scripts.

This vulnerability is particularly alarming because it allows attackers to store malicious scripts directly on web pages, which then execute each time a user accesses the page. Discovered by the researcher Webbernaut, the issue stems from insufficient input sanitization and output escaping within the plugin’s countdown widget attributes.

Risks and Potential Impacts

If exploited, this XSS vulnerability can lead to unauthorized data access, session hijacking, and malicious redirection. For businesses, this means potential exposure of sensitive customer data, compromised user accounts, and a tarnished reputation should the attack become public.

Remediation and Prevention

To address this vulnerability:

  1. Update the Plugin: Ensure Jeg Elementor Kit is updated to version 2.6.5 or later, which includes a patch for the vulnerability.
  2. Monitor Web Pages: Regularly check your web pages for unfamiliar scripts or content that may have been injected.
  3. Consider Alternatives: If recurrent vulnerabilities are a concern, explore other well-maintained plugins that offer similar functionalities but with a stronger security record.

Previous Vulnerabilities

Since November 2022, the Jeg Elementor Kit has encountered six reported vulnerabilities, reflecting the ongoing challenges and importance of routine software maintenance.

Importance of Vigilance in Website Security

For small business owners, the task of regularly updating a WordPress site and monitoring for vulnerabilities may seem daunting, especially with limited time and resources. However, neglecting this aspect of website maintenance can lead to far more severe consequences than the effort required to perform regular updates. Employing automated tools for updates and security checks can reduce the burden and help ensure that vulnerabilities are addressed promptly. Additionally, considering managed WordPress hosting services might offer peace of mind by handling security measures, backups, and updates professionally.

By staying proactive about security updates and adopting a strategic approach to website maintenance, small business owners can significantly mitigate risks and safeguard their online presence against emerging threats.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Jeg Elementor Kit Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget – CVE-2024-3161 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment