CVE-2024-1234 · The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via data attribute in all versions up t

01 · The Real Story

This is graffiti on the lobby wall, not a key to the building

CVE-2024-1234 is a stored XSS flaw in the WordPress plugin Exclusive Addons for Elementor affecting versions <= 2.6.9. A user with Contributor or higher privileges can place script-bearing payloads into a vulnerable data attribute; that payload is then stored and rendered later when someone loads the poisoned content.

The vendor's MEDIUM 6.4 label is fair in a vacuum, but it oversells real-world urgency for most enterprise patch queues. The decisive friction is the attacker must already have a valid low-privilege WordPress foothold or a site that allows untrusted contributor registrations; that makes this a post-initial-access web-content abuse issue, not a broad unauthenticated internet-exploitation event.

"Real risk is constrained by the need for a Contributor+ foothold; this is post-auth content abuse, not edge compromise."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Get a Contributor+ foothold

The attacker first needs a valid WordPress account with at least Contributor permissions. In practice that usually means compromised credentials, abuse of public self-registration, or a malicious insider/content author. Typical tooling is just wp-login.php, a browser, or Burp Suite to replay authenticated requests.

Conditions required:

Target runs WordPress with Exclusive Addons for Elementor installed
Attacker has Contributor, Author, Editor, or higher access
Affected plugin version is <= 2.6.9

Where this breaks in practice:

Many enterprise WordPress sites do not expose public contributor registration
Contributor accounts are a prior-compromise prerequisite, not a starting point
SSO, MFA, and identity hygiene often block this stage before the CVE matters

Detection/coverage: Version scanners such as Wordfence/WPScan can flag vulnerable plugin versions, but external network scanners generally cannot prove plugin presence/version reliably.

STEP 02

Inject the stored payload

Using the Elementor workflow, the attacker saves crafted content that lands in the vulnerable data attribute. Burp Suite, browser DevTools, or normal editor UI actions are enough; the exploit is not technically hard once authenticated access exists.

Conditions required:

Attacker can create or edit content rendered by the vulnerable widget/field path
Input reaches the vulnerable attribute without sanitization/escaping

Where this breaks in practice:

Not every site exposes the relevant widget path to Contributors
Editorial workflow or approval gates may prevent attacker-authored content from going live
Site hardening plugins may strip obvious payloads even though the plugin itself is flawed

Detection/coverage: Server logs may only show normal authenticated content edits. Content-security plugins and change-monitoring on posts/pages are more useful than network IDS here.

STEP 03

Wait for a higher-value viewer

The stored payload becomes useful when a privileged user, usually an Editor or Administrator, loads the poisoned page or editor context. Although the vendor vector marks UI:N, real privilege-escalation value typically depends on a human victim opening the stored content, which aligns better with NVD's later UI:R enrichment.

Conditions required:

A privileged user visits the malicious content
Browser executes inline or referenced JavaScript in the site context

Where this breaks in practice:

If only anonymous visitors see the page, impact may stay limited to client-side nuisance or session theft attempts
Strong CSP can reduce payload options on well-hardened sites
Admins may rarely view low-value contributor content on locked-down enterprise sites

Detection/coverage: Browser-side telemetry is usually absent. Admin-session anomalies, suspicious nonce reuse, and abrupt role/plugin changes are stronger indicators than perimeter logs.

STEP 04

Abuse the admin context

If the payload executes in an administrator's browser, the attacker can steal nonces, trigger privileged AJAX/actions, or ride the session to create users, change plugin settings, or plant follow-on access. Tooling is usually custom JavaScript plus normal WordPress admin endpoints rather than an off-the-shelf exploit framework.

Conditions required:

Admin/editor session context is exposed to the payload
The site lacks browser-side controls that prevent the follow-on actions

Where this breaks in practice:

HttpOnly cookies, nonce scope, and action-specific checks can limit some post-XSS actions
This is still browser-context compromise, not direct server-side RCE
Blast radius is mostly the affected WordPress site/tenant, not the wider enterprise fleet

Detection/coverage: Watch for unexpected admin actions after page views: new users, plugin installs, theme edits, option changes, and suspicious requests from legitimate admin accounts.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No authoritative evidence of active exploitation found in CISA KEV, the Wordfence record, or the vendor-adjacent sources reviewed.
Proof-of-concept availability	No primary-source public PoC was located in the reviewed authoritative sources. That said, this is easy to hand-roll with a browser and `Burp Suite` once Contributor+ access exists.
EPSS	User-supplied EPSS is 0.10589. Useful as threat signal, but EPSS is not a substitute for the very strong real-world friction here: the attacker already needs a WordPress foothold.
KEV status	Not listed in the CISA Known Exploited Vulnerabilities Catalog.
CVSS nuance	Vendor/Wordfence scored it 6.4 MEDIUM with `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N`, while NVD later enriched it to a lower 5.4 with `UI:R`. That UI disagreement matters because practical abuse usually needs a victim admin/editor to load poisoned content.
Affected versions	Exclusive Addons for Elementor <= 2.6.9.
Fixed version	Patched in 2.6.9.1 according to Wordfence and Patchstack; the WordPress.org changelog also shows 2.6.9.1 with `Improve security` on 2024-02-27.
Exposure population	The plugin page currently shows 50,000+ active installations. That's meaningful install base, but external asset intelligence like Shodan/Censys generally cannot reliably fingerprint this plugin and its version from the internet.
Disclosure timeline	Wordfence lists public publication on 2024-02-29; the CVE/NVD publication date is 2024-03-13. Those are different dates and defenders should use the later CVE date only for tracking, not for patch availability.
Reporter / researcher	The CVE record source is Wordfence; the Wordfence page credits researcher Webbernaut.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (4.0/10)

The single most important limiter is attacker position: exploitation starts only after the adversary already has Contributor+ access to WordPress. That prerequisite makes this a narrow, post-auth content-abuse flaw rather than a scalable internet edge compromise, so it does not deserve front-of-queue treatment across a 10,000-host estate.

HIGH Exploit chain requires authenticated Contributor+ access

MEDIUM Stored XSS can enable meaningful site takeover if a privileged user views the payload

Why this verdict

Start at vendor 6.4, then cut for attacker position: this is not unauthenticated remote exploitation. Requiring Contributor+ access means the attacker already has a foothold, abused registration, or an insider role; that is major downward pressure.
Cut again for practical user-interaction reality: despite the vendor's UI:N, the path to meaningful privilege abuse usually requires an admin/editor to load the poisoned content. NVD's later UI:R assessment better fits real operations.
Cut again for reachable population: only sites running this specific plugin version range and allowing low-privilege content authors into the relevant workflow are exposed. That's far narrower than the raw 'network exploitable' label suggests.
Do not drop to IGNORE: the payload is stored, durable, and can ride privileged browser context to create admins or alter site state. On multi-author or externally contributed WordPress sites, this is still exploitable enough to fix.

Why not higher?

There is no unauthenticated path, no direct server-side code execution, and no evidence here of active internet-scale exploitation pressure. For most enterprise WordPress estates, a flaw that starts at Contributor+ is downstream of identity compromise or permissive publishing workflows, which sharply limits real attacker reach.

Why not lower?

Stored XSS is not harmless when it lives in a CMS used by admins. If a malicious or compromised contributor can get content in front of an administrator, the browser context can be abused for user creation, settings changes, and persistent site compromise; that keeps it above IGNORE.

05 · Compensating Control

What to do — in priority order.

Lock down Contributor creation — Disable public self-registration where not explicitly needed, review who actually has Contributor/Author roles, and remove stale accounts. For a LOW verdict there is no mitigation SLA; treat this as backlog hygiene and complete it in the normal WordPress hardening cycle.
Require stronger auth for publishing roles — Put MFA and SSO in front of WordPress accounts that can author or edit content so the attacker never reaches the vulnerable state. For a LOW verdict there is no mitigation SLA; handle it as routine identity hardening rather than emergency work.
Add editorial approval for low-trust authors — Force review before Contributor-authored content is rendered publicly or viewed by admins. That directly breaks the stored-XSS chain by stopping poisoned content from reaching higher-value sessions; for LOW, do this in the standard workflow-improvement queue.
Deploy CSP where feasible — A restrictive Content Security Policy can blunt some XSS payloads, especially script-source and inline execution paths, though WordPress compatibility testing is required. For this LOW issue, schedule carefully as a platform-hardening task, not a fire drill.

What doesn't work

A perimeter WAF alone is weak here because the malicious input arrives over an authenticated, legitimate admin workflow and may be stored long before the victim views it.
Network firewalls do not address browser-context abuse inside WordPress after a valid user logs in.
Routine external vulnerability scanning usually cannot reliably detect this exact plugin/version/exposure state from outside the site.

06 · Verification

Crowdsourced verification payload.

Run this on the WordPress host or from a mounted copy of the site filesystem. Invoke it as bash check_cve_2024_1234.sh /var/www/html and it needs only read access to the WordPress files; sudo is only required if the webroot is not readable by your account.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_cve_2024_1234.sh
# Detects whether a WordPress site is vulnerable to CVE-2024-1234
# Affected plugin: Exclusive Addons for Elementor <= 2.6.9
# Patched version: 2.6.9.1+
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

TARGET_ROOT="${1:-}"
PLUGIN_REL="wp-content/plugins/exclusive-addons-for-elementor/exclusive-addons-for-elementor.php"
PATCHED_VERSION="2.6.9.1"
VULN_CUTOFF="2.6.9"

if [[ -z "$TARGET_ROOT" ]]; then
  echo "UNKNOWN - usage: $0 /path/to/wordpress/root"
  exit 2
fi

PLUGIN_FILE="$TARGET_ROOT/$PLUGIN_REL"

if [[ ! -f "$PLUGIN_FILE" ]]; then
  echo "UNKNOWN - plugin file not found: $PLUGIN_FILE"
  exit 2
fi

version_line=$(grep -iE '^\s*Version:\s*' "$PLUGIN_FILE" | head -n1 || true)
if [[ -z "$version_line" ]]; then
  echo "UNKNOWN - could not parse plugin version from $PLUGIN_FILE"
  exit 2
fi

version=$(echo "$version_line" | sed -E 's/^\s*Version:\s*//I' | tr -d '\r' | xargs)
if [[ -z "$version" ]]; then
  echo "UNKNOWN - empty version field in $PLUGIN_FILE"
  exit 2
fi

verlte() {
  # returns success if $1 <= $2 using sort -V
  [[ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" == "$1" ]]
}

verlt() {
  # returns success if $1 < $2
  [[ "$1" != "$2" ]] && verlte "$1" "$2"
}

if verlte "$version" "$VULN_CUTOFF"; then
  echo "VULNERABLE - Exclusive Addons for Elementor version $version (affected: <= $VULN_CUTOFF)"
  exit 1
fi

if verlt "$version" "$PATCHED_VERSION"; then
  echo "UNKNOWN - version $version is above vulnerable cutoff but below expected patched floor $PATCHED_VERSION; verify package provenance/backporting manually"
  exit 2
fi

echo "PATCHED - Exclusive Addons for Elementor version $version (patched: >= $PATCHED_VERSION)"
exit 0

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: identify which WordPress sites still run Exclusive Addons for Elementor <= 2.6.9, then check whether those sites allow untrusted or externally sourced Contributor/Author accounts. For this LOW reassessment there is no noisgate mitigation SLA and no noisgate remediation SLA beyond treating it as backlog hygiene, so fold the plugin update to 2.6.9.1+ into the next normal WordPress/plugin maintenance window; if a site has open registration, outsourced content authors, or any history of contributor-account abuse, promote that site locally and patch it in the next available site change window instead of waiting for the broader backlog cycle.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.