WWordPress Vulnerability Database

Community Alert XSS Vulnerability in Elementor Addons(CVE202412120)

Cross Site Scripting (XSS) in WordPress Royal Elementor Addons Plugin
0
Shares
0
0
0
0






Critical Guidance — CVE-2024-12120: Authenticated (Contributor) Stored XSS in Royal Elementor Addons (<= 1.7.1017)


Plugin Name Royal Elementor Addons
Type of Vulnerability XSS
CVE Number CVE-2024-12120
Urgency Medium
CVE Publish Date 2026-02-03
Source URL CVE-2024-12120

Critical Guidance — CVE-2024-12120: Authenticated (Contributor) Stored XSS in Royal Elementor Addons (<= 1.7.1017)

Author: Hong Kong Security Expert

Date: 2026-02-03

Summary: A stored Cross-Site Scripting (XSS) vulnerability (CVE-2024-12120) was disclosed in the Royal Elementor Addons & Templates plugin affecting versions ≤ 1.7.1017. An authenticated user with Contributor-level privileges can inject stored JavaScript that may execute in the browser of higher-privileged users or site visitors. This post explains the technical details, real-world risk, detection steps, and practical mitigation strategies you can apply immediately from the perspective of a Hong Kong security practitioner.

TL;DR — Quick facts

  • Vulnerability: Stored Cross-Site Scripting (XSS)
  • CVE: CVE-2024-12120
  • Affected software: Royal Elementor Addons & Templates plugin ≤ 1.7.1017
  • Fixed in: 1.7.1018 (upgrade immediately)
  • Required attacker privilege: Authenticated Contributor (or higher, depending on site configuration)
  • Exploitation vector: Attacker stores payload in plugin-controlled field(s); script executes when privileged users or visitors view the stored content
  • Risk: Medium (CVSS ~6.5 reported) — attacker can run browser-side JavaScript causing session theft, content injection, or persistence
  • Immediate mitigations: Update plugin, remove/limit Contributor accounts, apply virtual patches at request inspection level, scan for injected content

Why this matters (real-world impact)

Stored XSS is among the most dangerous client-side vulnerabilities. When arbitrary JavaScript is saved to the database and later executed in the browser of another user, attackers can:

  • Steal cookies or session tokens of administrators and attempt full site takeover.
  • Perform actions in the browser on behalf of a privileged user (change settings, install plugins, publish content).
  • Inject persistent malicious content (redirects, unwanted ads, or DOM-based backdoors).
  • Create persistence that survives file-scans, since payloads live in the database.
  • Combine with other weaknesses to escalate impact or exfiltrate data.

Because this bug can be triggered by a Contributor-level account — a role frequently used for authors and content submitters — sites accepting user-submitted content are particularly at risk.

Technical overview: how the vulnerability works

This is a classic stored-XSS caused by insufficient input validation and lack of output escaping in plugin UI or rendering logic. In practical terms:

  1. An authenticated user with Contributor privileges creates or updates a content field exposed by the plugin (template description, widget parameter, shortcode attribute, or plugin-managed postmeta).
  2. The plugin accepts and saves the input without proper sanitization.
  3. Later, when an admin/editor or visitor views a page or admin screen that renders the stored field, the plugin outputs the data without encoding, allowing embedded