Premium Addons for Elementor Vulnerability – Multiple Vulnerabilities – CVE-2024-2666, CVE-2024-2665, CVE-2024-2664, CVE-2024-0376 | WordPress Plugin Vulnerability Report 

Plugin Name: Premium Addons for Elementor

Key Information:

  • Software Type: Plugin
  • Software Slug: premium-addons-for-elementor
  • Software Status: Active
  • Software Author: leap13
  • Software Downloads: 31,302,324
  • Active Installs: 700,000
  • Last Updated: April 16, 2024
  • Patched Versions: 4.10.17, 4.10.25, 4.10.28
  • Affected Versions: <= 4.10.27

Vulnerability Details:

  1. Name: Premium Addons for Elementor <= 4.10.24 - DOM-Based Stored XSS
    • CVE: CVE-2024-2666
    • CVSS Score: 5.4
    • Description: Vulnerability in the Bullet List Widget due to insufficient input sanitization of user attributes.
  2. Name: Premium Addons for Elementor <= 4.10.27 - Stored XSS via Button
    • CVE: CVE-2024-2665
    • CVSS Score: 6.5
    • Description: Vulnerability via the plugin's button widget due to inadequate sanitization of user inputs.
  3. Name: Premium Addons for Elementor <= 4.10.24 - Stored XSS
    • CVE: CVE-2024-2664
    • CVSS Score: 6.4
    • Description: Vulnerability in the Countdown Widget due to improper escaping of user inputs.
  4. Name: Premium Addons for Elementor <= 4.10.16 - Stored XSS via Wrapper Link Widget
    • CVE: CVE-2024-0376
    • CVSS Score: 6.4
    • Description: Vulnerability via the Wrapper Link Widget due to insufficient sanitization of URL inputs.


The Premium Addons for Elementor plugin for WordPress has been identified with multiple vulnerabilities in versions up to and including 4.10.27 that allow authenticated contributors to execute stored cross-site scripting attacks via various widgets. These vulnerabilities have been addressed in versions 4.10.17, 4.10.25, and 4.10.28.

Detailed Overview:

The vulnerabilities found in Premium Addons for Elementor involve several widgets where input sanitization and output escaping were inadequate. Researchers identified these issues in widgets such as the Bullet List, Button, Countdown, and Wrapper Link, which could allow attackers to inject harmful scripts. These scripts could potentially execute malicious actions on the behalf of unsuspecting users, compromising site integrity and user data security. The plugin developers have since released patches to mitigate these risks.

Advice for Users:

  • Immediate Action: Update to versions 4.10.17, 4.10.25, or 4.10.28 immediately to address these vulnerabilities.
  • Check for Signs of Vulnerability: Regularly inspect your site for unusual behavior or unauthorized content modifications.
  • Alternate Plugins: If concerned about ongoing security, consider evaluating other reputable Elementor add-on plugins.
  • Stay Updated: Ensure that all site plugins are frequently updated to the latest versions to safeguard against potential vulnerabilities.


The swift response by the developers of Premium Addons for Elementor to release patches for these vulnerabilities emphasizes the critical nature of regular software updates. Users of the plugin are strongly advised to ensure their installations are updated to version 4.10.17, 4.10.25, or 4.10.28 or later to maintain secure and functional websites.


Detailed Report: 

In the ever-evolving landscape of web security, keeping your digital platforms updated isn't just a best practice—it's a necessity for safeguarding sensitive information against emerging threats. The Premium Addons for Elementor, a widely used WordPress plugin with over 700,000 active installs, has recently been spotlighted for multiple critical vulnerabilities that could expose websites to cross-site scripting (XSS) attacks. This incident underscores the importance of vigilance and timely action in the management of website components.

Detailed Overview:

The vulnerabilities identified in Premium Addons for Elementor involve inadequate input sanitization and output escaping across several widgets, creating potential entry points for attackers to inject malicious scripts. These scripts can execute unauthorized commands, steal cookies or session tokens, or redirect users to malicious websites, significantly compromising both site integrity and user data security. The plugin developers have released patches in updated versions to address these vulnerabilities.

Risks and Potential Impacts:

The exposure to XSS vulnerabilities can lead to data breaches, unauthorized access to website administrative functions, and loss of user trust. For small business owners, these security flaws could translate into significant reputational damage and potential financial losses, especially if sensitive customer information is compromised.

Overview of Previous Vulnerabilities:

Since April 13, 2021, there have been 12 previous vulnerabilities reported for this plugin, underscoring the critical nature of continuous monitoring and updating.


The swift action taken by the developers of Premium Addons for Elementor to patch these vulnerabilities is commendable and highlights the essential nature of timely software updates in maintaining secure web environments. For small business owners, the challenge of staying on top of potential security threats can be daunting. However, employing practices such as regular updates, utilizing security plugins, and possibly engaging cybersecurity professionals can provide significant protection against common vulnerabilities.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Premium Addons for Elementor Vulnerability – Multiple Vulnerabilities – CVE-2024-2666, CVE-2024-2665, CVE-2024-2664, CVE-2024-0376 | WordPress Plugin Vulnerability Report FAQS

What is XSS, and why is it dangerous?

Cross-Site Scripting (XSS) is a type of security vulnerability typically found in web applications. XSS allows attackers to inject client-side scripts into web pages viewed by other users, which can be used to bypass access controls such as the same-origin policy. This vulnerability can lead to actions like stealing cookies, defacing websites, or redirecting visitors to malicious sites, thereby compromising both user privacy and site integrity.

Leave a Comment