CVE-2024-2455 – This stored XSS vulnerability in the Element Pa... (How to Fix)

📋 TL;DR

This stored XSS vulnerability in the Element Pack WordPress plugin allows authenticated attackers with contributor-level or higher permissions to inject malicious scripts into web pages. When users visit compromised pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. WordPress sites using Element Pack plugin versions up to 7.9.0 are affected.

💻 Affected Systems

Products:

Element Pack - Addon for Elementor Page Builder WordPress Plugin

Versions: All versions up to and including 7.9.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with Elementor and Element Pack plugin installed. Contributor-level or higher authentication required for exploitation.

📦 What is this software?

Element Pack by Bdthemes

View all CVEs affecting Element Pack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or perform actions on behalf of authenticated users.

🟠

Likely Case

Attackers with contributor access inject malicious scripts to steal user session cookies or credentials, potentially escalating privileges.

🟢

If Mitigated

With proper user role management and input validation, impact is limited to low-privilege user sessions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user with contributor privileges or higher. The vulnerability is in widget wrapper link URL handling.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.9.1

Vendor Advisory: https://feedback.elementpack.pro/announcements

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Element Pack - Addon for Elementor'
4. Click 'Update Now' if update is available
5. Alternatively, download version 7.9.1+ from WordPress repository
6. Deactivate old version and upload new version
7. Activate updated plugin

🔧 Temporary Workarounds

Restrict User Roles

all

Limit contributor-level access to trusted users only and review existing contributor accounts.

Disable Vulnerable Widgets

all

Temporarily disable Element Pack widgets that use wrapper link functionality until patched.

🧯 If You Can't Patch

Remove contributor-level access from untrusted users
Implement web application firewall (WAF) rules to block XSS payloads in widget parameters

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Element Pack → Version number. If version is 7.9.0 or lower, you are vulnerable.

Check Version:

wp plugin list --name='Element Pack' --field=version

Verify Fix Applied:

After updating, confirm version is 7.9.1 or higher in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to widget update endpoints
Suspicious JavaScript in page content from contributor users

Network Indicators:

Malicious script loading from compromised pages
Unexpected outbound connections from user browsers

SIEM Query:

source="wordpress.log" AND ("element-pack" OR "widget-wrapper") AND ("update" OR "save") AND status=200

📊 Metadata

CVE ID: CVE-2024-2455

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: August 1, 2024

Last Updated: February 6, 2025

🔗 References

https://feedback.elementpack.pro/announcements Release Notes
https://feedback.elementpack.pro/announcements#:~:text=Version%207.9.1%20Released Release Notes
https://www.wordfence.com/threat-intel/vulnerabilities/id/1903527e-d7d9-48a0-b59d-65ec5e14def2?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-2455, you might also want to check these: