CVE-2024-50555
Stored XSS in Elementor Website Builder
Publication date: 2026-02-20
Last updated on: 2026-02-27
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elementor | website_builder | From 3.0.0 (inc) to 3.29.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2024-50555 is a Cross Site Scripting (XSS) vulnerability in the WordPress Elementor Website Builder Plugin versions up to and including 3.29.0.
This vulnerability allows an attacker to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, into the website. These scripts execute when visitors access the compromised site.
Exploitation requires a privileged user with Contributor or Developer roles to perform an action like clicking a malicious link, visiting a crafted page, or submitting a form.
The issue is classified under OWASP Top 10 category A3: Injection and is patched in version 3.29.1 of the Elementor plugin.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow attackers to execute malicious scripts on your website, potentially leading to unauthorized redirects, display of unwanted advertisements, or other harmful HTML payloads.
However, the overall impact is considered low priority and unlikely to be exploited in a significant manner.
Exploitation requires interaction from a privileged user, which reduces the likelihood of widespread impact.
To mitigate the risk, users should update the Elementor plugin to version 3.29.1 or later.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability is a Stored Cross Site Scripting (XSS) issue in the Elementor Website Builder plugin up to version 3.29.0. Detection involves identifying if your WordPress site is running a vulnerable version of the Elementor plugin.
You can check the installed Elementor plugin version using WordPress CLI commands or by inspecting the plugin version in the WordPress admin dashboard.
- Using WP-CLI: wp plugin list | grep elementor
- Check plugin version in WordPress admin under Plugins section.
Since the vulnerability requires user interaction by privileged users (Contributor or Developer roles) performing actions like clicking malicious links or submitting crafted forms, monitoring for unusual user activity or unexpected script injections in web pages may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the Elementor Website Builder plugin to version 3.29.1 or later, where the vulnerability is patched.
Additionally, enabling auto-update functionality for plugins can help ensure rapid protection against this and similar vulnerabilities.
Limiting privileged user roles (Contributor or Developer) from interacting with untrusted links or pages can reduce the risk of exploitation.