Premium Addons for Elementor Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via onClick Events – CVE-2024-0326 | WordPress Plugin Vulnerability Report

Plugin Name: Premium Addons for Elementor

Key Information:

  • Software Type: Plugin
  • Software Slug: premium-addons-for-elementor
  • Software Status: Active
  • Software Author: leap13
  • Software Downloads: 29,259,716
  • Active Installs: 700,000
  • Last Updated: February 16, 2024
  • Patched Versions: 4.10.19
  • Affected Versions: <= 4.10.18

Vulnerability Details:

  • Name: Premium Addons for Elementor <= 4.10.18
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via onClick Events
  • Type: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-0326
  • CVSS Score: 4.9
  • Publicly Published: February 14, 2024
  • Researcher: Webbernaut
  • Description: The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's onClick Event functionality in all versions up to, and including, 4.10.18 due to insufficient input sanitization and output escaping on user-supplied events. Authenticated attackers with contributor-level and above permissions can inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.


The Premium Addons for Elementor for WordPress has a vulnerability in versions up to and including 4.10.18 that allows authenticated users with contributor-level permissions or higher to perform stored cross-site scripting attacks via onClick events. This vulnerability has been patched in version 4.10.19.

Detailed Overview:

The vulnerability, identified by researcher Webbernaut, stems from the plugin's failure to properly sanitize input and escape output for onClick event functionality. This oversight allows attackers to embed malicious scripts into web pages, posing significant risks to website security and integrity. The execution of these scripts can lead to unauthorized access, data theft, and further compromise of website visitors' security. The prompt patching of this vulnerability in version 4.10.19 mitigates these risks, safeguarding websites against potential exploits.

Advice for Users:

Immediate Action: Users of Premium Addons for Elementor should immediately update to the patched version 4.10.19 to protect their sites from this vulnerability.
Check for Signs of Vulnerability: Regularly review your site's content and logs for unexpected changes or unauthorized activities that might indicate exploitation.
Alternate Plugins: While the patched version addresses this specific issue, exploring other reputable Elementor addons can provide additional security and functionality.
Stay Updated: Consistently keeping all WordPress themes, plugins, and core files updated is crucial for maintaining website security and preventing vulnerabilities.


The rapid response of the Premium Addons for Elementor development team in releasing a patch underscores the critical nature of staying vigilant and promptly addressing security vulnerabilities. By updating to version 4.10.19 or later, users can ensure their WordPress installations remain secure and resilient against potential threats.


In today's digital era, where a significant portion of business operations and customer interactions transpire online, the security of your website is paramount. The recent discovery of a critical vulnerability in the Premium Addons for Elementor plugin, a tool utilized by over 700,000 websites, casts a spotlight on the ever-present threat of cyber vulnerabilities and the indispensable need to maintain updated digital assets.

Vulnerability Insights:

The vulnerability, cataloged under CVE-2024-0326, is an authenticated stored cross-site scripting (XSS) issue arising from insufficient input sanitization and output escaping within the plugin's onClick event functionality. Identified by researcher Webbernaut, this flaw permits attackers with contributor-level access to inject malicious scripts into web pages. Such scripts can be executed unknowingly by users, leading to unauthorized access, data breaches, and other security compromises.

Potential Impacts:

The execution of unauthorized scripts poses significant risks, including the theft of sensitive information, the hijacking of user sessions, and the potential for further exploitation of website vulnerabilities. This not only jeopardizes the security of the website but also undermines user trust and can lead to severe reputational damage.

Remediation Steps:

To mitigate this vulnerability, users are urged to:

  1. Update immediately to the patched version, 4.10.19, which addresses this security issue.
  2. Monitor your website for unusual activities or unauthorized changes, indicating potential exploitation.
  3. Consider alternative plugins that provide similar functionalities but with a robust security posture.
  4. Stay vigilant by ensuring all components of your WordPress site are up-to-date, including themes, plugins, and the core installation.

Historical Context:

This is not the first time vulnerabilities have been discovered within the Premium Addons for Elementor plugin. Since April 13, 2021, there have been three documented instances of security flaws, emphasizing the critical nature of regular security audits and updates.


The swift resolution of this vulnerability by the developers of Premium Addons for Elementor serves as a vital reminder of the dynamic nature of cybersecurity threats. For small business owners, whose resources may be limited, understanding and managing website security can seem daunting. However, the consequences of neglecting such vulnerabilities can be far more detrimental. It's crucial to prioritize the security of your digital assets, not only to protect your business but also to safeguard your customers. Remember, the security of your website is an ongoing process, not a one-time setup. Stay informed, stay updated, and consider partnering with cybersecurity professionals to navigate the complexities of website security effectively.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Premium Addons for Elementor Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via onClick Events – CVE-2024-0326 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment