Premium Addons for Elementor Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘arrow_style’ – CVE-2024-3647 | WordPress Plugin Vulnerability Report

Plugin Name: Premium Addons for Elementor

Key Information:

  • Software Type: Plugin
  • Software Slug: premium-addons-for-elementor
  • Software Status: Active
  • Software Author: leap13
  • Software Downloads: 31,878,013
  • Active Installs: 700,000
  • Last Updated: May 9, 2024
  • Patched Versions: 4.10.29
  • Affected Versions: <= 4.10.28

Vulnerability Details:

  • Name: Premium Addons for Elementor <= 4.10.28
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via 'arrow_style'
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-3647
  • CVSS Score: 6.4
  • Publicly Published: April 24, 2024
  • Researcher: stealthcopter
  • Description: The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's post ticker widget in all versions up to, and including, 4.10.28. This vulnerability arises due to insufficient input sanitization and output escaping on user-supplied attributes. It allows authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts into pages, which will execute whenever a user accesses these pages. This vulnerability only affects the premium version of the plugin.


The Premium Addons for Elementor plugin for WordPress has a vulnerability in versions up to and including 4.10.28 that enables authenticated users with contributor-level access or higher to execute malicious scripts through the plugin's post ticker widget. This vulnerability has been patched in version 4.10.29.

Detailed Overview:

The vulnerability in question, discovered by the researcher known as stealthcopter, involves the 'arrow_style' parameter in the post ticker widget, which lacked proper sanitization and escaping mechanisms. This oversight made it possible for attackers to embed harmful scripts that are executed when the page is viewed. The risk here includes unauthorized access to user data, potential website defacement, and other malicious activities facilitated by XSS attacks. The vulnerability has been addressed in the recent update, emphasizing the necessity for immediate upgrades to the patched version.

Advice for Users:

  • Immediate Action: Users should update to version 4.10.29 without delay.
  • Check for Signs of Vulnerability: Monitor your site for unusual activities or scripts that seem out of place. Webmaster tools and security plugins can aid in identifying potential compromises.
  • Alternate Plugins: While the patched version resolves this issue, users who are unable to update immediately might consider exploring other reputable plugins that offer similar functionalities as a temporary solution.
  • Stay Updated: It is crucial to keep all software, especially WordPress and its plugins, updated to the latest versions to minimize security risks.


The swift action by the developers of Premium Addons for Elementor to release a patch following the discovery of this XSS vulnerability highlights the critical role of maintaining up-to-date software to safeguard digital assets. All users are advised to install the latest version, 4.10.29, to protect their sites from potential security breaches.


Detailed Report: 

In today’s interconnected world, the security of your website is as crucial as the locks on your doors. Recent developments within the WordPress community have spotlighted a significant vulnerability in the Premium Addons for Elementor plugin, identified as CVE-2024-3647. This vulnerability underscores the broader implications of software maintenance, emphasizing the need for continual updates and vigilant security practices to safeguard digital assets.

About Premium Addons for Elementor

Premium Addons for Elementor is a widely used plugin that enhances Elementor page builder with additional widgets and features. It boasts a substantial user base with over 700,000 active installs and more than 31 million downloads. The plugin is developed by leap13 and is crucial for many businesses relying on WordPress for their digital presence.

Detailed Vulnerability Analysis

The vulnerability in question, CVE-2024-3647, affects versions up to 4.10.28 of the plugin and involves the 'arrow_style' parameter within the post ticker widget. This parameter lacked proper sanitization and escaping, allowing authenticated users with at least contributor-level access to inject arbitrary web scripts. These scripts could execute on a user's browser, leading to potential unauthorized access and data manipulation.

Risks and Potential Impacts

If exploited, this vulnerability could allow attackers to perform actions such as stealing user session tokens, defacing websites, or redirecting visitors to malicious sites. The potential for damage is significant, considering the high number of active installs. Such actions could compromise not only the security of the website but also the privacy of its users, leading to loss of trust and potential legal consequences.

Remediation and User Advice

To address this vulnerability, the developers released an updated version, 4.10.29, which patches the XSS flaw. Users of the plugin should:

  • Immediately update to the latest version.
  • Regularly check and update all WordPress plugins and themes.
  • Utilize security plugins to monitor and block unusual activities.
  • Consider regular security audits, especially for business-critical sites.

Historical Context and Recurring Vulnerabilities

This is not the first time vulnerabilities have been discovered in this plugin. There have been 15 reported vulnerabilities since April 2021, emphasizing the need for ongoing vigilance. Each incident serves as a reminder of the evolving nature of cyber threats and the necessity of regular updates.

Conclusion: The Imperative of Proactive Security Measures

For small business owners, the task of managing a website can be daunting, especially with limited time and resources. However, neglecting cybersecurity can result in severe repercussions. Embracing a proactive approach to software maintenance, prioritizing regular updates, and employing automated tools for security monitoring can significantly mitigate risks. Remember, in the realm of cybersecurity, prevention is always better than cure. By staying informed and prepared, small business owners can not only protect their digital assets but also build trust with their users.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Premium Addons for Elementor Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘arrow_style’ – CVE-2024-3647 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment