Master Addons Vulnerability – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor – Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Table Widget – CVE-2024-2139 |WordPress Plugin Vulnerability Report

Plugin Name: Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor

Key Information:

  • Software Type: Plugin
  • Software Slug: master-addons
  • Software Status: Active
  • Software Author: litonice13
  • Software Downloads: 1,012,079
  • Active Installs: 40,000
  • Last Updated: March 26, 2024
  • Patched Versions:
  • Affected Versions: <=

Vulnerability Details:

  • Name: Master Addons for Elementor <= Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Table Widget
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-2139
  • CVSS Score: 6.4
  • Publicly Published: March 26, 2024
  • Researcher: Francesco Carlucci
  • Description: The Master Addons for Elementor plugin, a popular tool for enhancing WordPress sites with advanced widgets and effects, has been identified as vulnerable to Stored Cross-Site Scripting (XSS) through its Pricing Table widget. This vulnerability arises from the plugin's failure to properly sanitize and escape user input, enabling attackers with contributor-level permissions to inject harmful scripts into web pages. These scripts could be executed by unsuspecting users, leading to potential security breaches.


The Master Addons plugin, a cornerstone for many WordPress users seeking to enrich their sites with dynamic elements and animations, harbors a vulnerability in versions up to and including Specifically, the flaw lies within the Pricing Table widget, where inadequate input sanitization opens the door for Stored Cross-Site Scripting attacks by users with at least contributor rights. Thankfully, this critical issue has been addressed in the patch released with version

Detailed Overview:

Francesco Carlucci, the researcher behind this discovery, emphasizes the severity of allowing arbitrary script execution, which could compromise site integrity and user security. While the CVSS score of 6.4 denotes a medium severity level, the potential for data leakage and unauthorized site modifications necessitates immediate attention. The plugin's widespread use, evidenced by over a million downloads and 40,000 active installations, amplifies the urgency for updates.

Advice for Users:

  • Immediate Action: All users of Master Addons are strongly encouraged to update to the latest version,, to mitigate the risk posed by this vulnerability.
  • Check for Signs of Vulnerability: Regular monitoring for unusual site activity or unauthorized content changes can help in early detection of exploitation.
  • Alternate Plugins: While the patched version is deemed secure, exploring alternative plugins with similar functionality may offer peace of mind to cautious users.
  • Stay Updated: Consistently keeping all WordPress plugins up-to-date is key in safeguarding against known vulnerabilities and ensuring a secure web environment.


The swift action taken by the developers of Master Addons to rectify this vulnerability underscores the critical nature of maintaining up-to-date software on your WordPress site. By updating to version or later, users can ensure the continued security of their installations, protecting both their content and their visitors from potential harm.


Detailed Report: 

In today's digital age, the integrity of our online presence is paramount, yet it remains perpetually under threat from emerging vulnerabilities. A recent case in point is the discovery of a significant security flaw within the Master Addons plugin for Elementor, a widely acclaimed tool that breathes life into WordPress sites with its dynamic widgets and effects. This revelation serves as a crucial reminder of the relentless vigilance required to safeguard our digital realms.

Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor:

Master Addons enriches WordPress sites with an extensive suite of creative elements, boasting over 1,012,079 downloads and 40,000 active installations. Developed by litonice13, this plugin has become integral for users aiming to elevate their website aesthetics and functionality effortlessly.

The Vulnerability at a Glance:

Dubbed CVE-2024-2139, the vulnerability in question is an Authenticated Stored Cross-Site Scripting (XSS) flaw found within the Pricing Table widget of versions up to and including Francesco Carlucci, the researcher behind the discovery, highlighted the risk associated with the plugin's inadequate input sanitization, which could allow attackers with contributor-level access to execute malicious scripts, potentially leading to unauthorized data access and site manipulation.

Risks and Potential Impacts:

The exploitation of this vulnerability could have far-reaching consequences, compromising not only the security of individual websites but also the privacy and safety of their users. The ability for malicious actors to inject harmful scripts poses a significant threat, emphasizing the need for immediate and decisive action to mitigate these risks.

Remediation Steps:

In response to this discovery, the developers of Master Addons acted swiftly to release a patched version,, effectively neutralizing the threat posed by CVE-2024-2139. Users are urged to update their plugin installations without delay, ensuring their sites remain secure against this particular vector of attack.

A History of Concerns:

It's noteworthy that this is not the plugin's first encounter with security issues; there have been five previous vulnerabilities reported since February 21, 2022. This history underscores the importance of continuous monitoring and updating as foundational aspects of website maintenance.

The Imperative of Vigilance:

For small business owners, the task of keeping a WordPress site secure can seem daunting amidst myriad operational responsibilities. Yet, the potential repercussions of a security breach — from eroded user trust to tangible financial losses — make it an unavoidable aspect of digital stewardship. Employing automated tools for security scanning and updates can alleviate some of the burdens, but a basic understanding of web security best practices is indispensable.

In conclusion, the discovery of vulnerabilities like CVE-2024-2139 within popular plugins like Master Addons serves as a stark reminder of the ever-present threats in the digital landscape. Staying informed about such vulnerabilities, and acting promptly to address them, is not just a matter of technical upkeep but a critical investment in the credibility and resilience of your online presence. For small business owners, the integrity of your WordPress site is not merely a digital asset but a cornerstone of your brand's reputation and the trust it engenders among your clientele.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Master Addons Vulnerability – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor – Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Table Widget – CVE-2024-2139 |WordPress Plugin Vulnerability Report FAQs

Leave a Comment