CVE-2024-8440

Published Sep 11, 2024

Last updated 2 years ago

CVSS medium 5.4
WordPress
Elementor

Overview

AI description

Automated description summarized from trusted sources.

CVE-2024-8440 is a stored cross-site scripting (XSS) vulnerability found in the Essential Addons for Elementor WordPress plugin. The vulnerability affects versions up to and including 6.0.3. It exists within the Fancy Text widget due to insufficient input sanitization and output escaping of user-supplied attributes. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages. These malicious scripts execute in users' browsers when they access the compromised pages. Updating to version 6.0.4 or later of the Essential Addons for Elementor plugin resolves this vulnerability.

Description
The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Fancy Text widget in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source
security@wordfence.com
NVD status
Analyzed
Products
essential_addons_for_elementor

Risk scores

CVSS 3.1

Type
Primary
Base score
5.4
Impact score
2.7
Exploitability score
2.3
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Severity
MEDIUM

Weaknesses

security@wordfence.com
CWE-79

Social media

Hype score
Not currently trending

  1. CVE-2024-8440这个能够直接提权的漏洞外,sandboxescaper还公布了两个越权删除任意文件的EXP(CVE-2018-8584)和一个越权读取任意文件的EXP。12月份公布的后两个漏洞虽然也是Windows中的逻辑问题,但是与RPC无关。 咨询:https:

    @quincyteellycu

    4 May 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2024-8440这个能够直接提权的漏洞外,sandboxescaper还公布了两个越权删除任意文件的EXP(CVE-2018-8584)和一个越权读取任意文件的EXP。12月份公布的后两个漏洞虽然也是Windows中的逻辑问题, https://t.co/6jyu8g0iqB https://t.c

    @MeliaDelfiyi

    11 Nov 2025

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2024-8440这个能够直接提权的漏洞外,sandboxescaper还公布了两个越权删除任意文件的EXP(CVE-2024-8584)和一个越权读取任意文件的EXP。12月份公布的后两个漏洞虽然也是Windows中的逻辑问题,但是与RPC无关。 技术联系

    @Drutor88

    14 Sept 2025

    3740 Impressions

    0 Retweets

    35 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2024-8440这个能够直接提权的漏洞外,sandboxescaper还公布了两个越权删除任意文件的EXP(CVE-2014-8584)和一个越权读取任意文件的EXP。12月份公布的后两个漏洞虽然也是Windows中的逻辑问题,但是与RPC无关。 技术联系

    @Ii6Roun7

    31 Aug 2025

    2595 Impressions

    0 Retweets

    44 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2024-8440这个能够直接提权的漏洞外,sandboxescaper还公布了两个越权删除任意文件的EXP(CVE-2014-8584)和一个越权读取任意文件的EXP。 12月份公布的后两个漏洞虽然也是Windows中的逻辑问题,但是与RPC无关。 https://t.co

    @JoiR666

    29 Aug 2025

    2401 Impressions

    0 Retweets

    65 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. The Master Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ma_el_bh_table_btn_text' parameter in versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.CVE-2026-2486
  2. WordPress Plugin "Survey Maker" versions 5.1.7.7 and prior contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user's web browser.CVE-2026-26370
  3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite allows DOM-Based XSS.This issue affects Essential Addons for Elementor: from n/a through <= 6.5.3.CVE-2025-69092
  4. The Deployment Infrastructure in Mintlify Platform before 2025-11-15 allows remote attackers to bypass security patches and execute downgrade attacks via predictable deployment identifiers on the Vercel preview domain. An attacker can identify the URL structure of a previous deployment that contains unpatched vulnerabilities. By browsing directly to the specific git-ref or deployment-id subdomain, the attacker can force the application to load the vulnerable version.CVE-2025-67846
  5. The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post.CVE-2025-9501

References

Sources include official advisories and independent security research.