CVE-2024-2117 - Stored XSS in Elementor Website Builder Path Widget (Up to 3.20.2) – Exploit Details & Fix

Elementor is arguably the most popular website builder for WordPress, powering millions of sites globally. Its powerful features—like drag-and-drop design, widgets, and templates—bring professional web design to everyone, fast. But where there's complexity, vulnerabilities can creep in. Recently, a critical security flaw was discovered: CVE-2024-2117. This vulnerability allows attackers to inject malicious scripts via Elementor’s "Path" widget, leading to persistent—also known as stored—Cross-Site Scripting (XSS).

What Is It?

CVE-2024-2117 is a stored XSS vulnerability impacting the Elementor Website Builder (versions up to and including 3.20.2). The problem lies in the Path Widget feature, which fails to properly escape user-supplied attribute values before using them on a WordPress page.

Any user with contributor-level access (or above)

- Attackers require authentication but do not need admin or editor rights—contributor level is sufficient.

Attackers can inject arbitrary JavaScript into pages using the Path widget.

- Anyone visiting a tainted page (like admins or site visitors) will have the attacker's code executed in their browser session.

How Does the Vulnerability Work?

When building pages in Elementor, users can add a Path Widget that normally renders SVG paths for design effects. However, Elementor does not properly sanitize attributes in this widget. An attacker can craft a specially formatted SVG path with malicious JavaScript in an attribute, and Elementor will render it as-is.

A Simple Attack Example

Suppose a contributor creates a new page or post and adds a Path widget. In one of the widget fields (like “Path Data” or an attribute), instead of regular SVG, they include malicious code like:

<svg>
  <path onmouseover="alert('XSS by CVE-2024-2117!')" d="M150  L75 200 L225 200 Z" />
</svg>

*How this works:*
- The injected code uses an SVG <path> element’s event handler (onmouseover) to trigger JavaScript.
- When any user hovers on the SVG graphic (or sometimes just views it), the script runs in their browser context.

Proof-of-Concept (PoC) Exploit

Below is a simple proof-of-concept exploit for CVE-2024-2117. Use only in authorized environments.

In the “Path Data” or relevant attribute field, paste:

" d="M10 10 H 90 V 90 H 10 Z" onmouseover="alert('This page is vulnerable to CVE-2024-2117!')"

Visit the published page and hover over the SVG Path.

You’ll see a popup alert—proof that the attacker can execute arbitrary scripts!

Why Is This Dangerous?

Stored XSS is particularly dangerous because the malicious payload is saved in the website database. Anyone who visits the infected page gets hit. Attackers can easily:

If you use Elementor

- Immediately update to the latest version (3.20.3 or above).
- Review site contributors and their posts/pages for unusual SVG code.

Consider restricting widget permissions or using a web application firewall (WAF).

Code fix (conceptual):

Always escape all user inputs and attributes

// Example of secure attribute output in PHP
echo esc_attr( $user_input_data );

If you are a developer, ensure similar escaping is used in your plugin code.

References and Further Reading

- Wordfence Advisory: CVE-2024-2117
- Elementor’s Changelog
- CVE Record: CVE-2024-2117
- SVG XSS Reference

Conclusion

CVE-2024-2117 shows that even the biggest plugins are not immune to security issues. Always keep core, plugins, and themes up to date. Review user permissions and sanitize user input everywhere—especially when choosing plugins for your WordPress sites.

If you manage a website with Elementor, upgrade immediately, check your site for unexpected SVG or script code, and stay alert for security notices.

Timeline

Published on: 04/09/2024 19:15:28 UTC
Last modified on: 04/10/2024 13:23:38 UTC