WWordPress Vulnerability Database

Protect Hong Kong Websites From XSS Threats(CVE20245542)

Cross Site Scripting (XSS) in WordPress Master Addons for Elementor Plugin
0
Shares
0
0
0
0
Plugin Name Master Addons for Elementor
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2024-5542
Urgency Medium
CVE Publish Date 2026-02-13
Source URL CVE-2024-5542

Urgent Security Advisory — CVE-2024-5542: Unauthenticated Stored XSS in Master Addons for Elementor (≤ 2.0.6.1) and How to Protect Your Sites

Author: Hong Kong Security Expert | Date: 2026-02-11 | Tags: WordPress, XSS, Plugin Vulnerability, Master Addons, Elementor

Summary: A stored Cross‑Site Scripting (XSS) vulnerability (CVE‑2024‑5542, CVSS 7.2) has been disclosed in the Master Addons for Elementor plugin affecting versions ≤ 2.0.6.1. The flaw allows unauthenticated attackers to store malicious script content via the Navigation Menu widget which is later rendered to site visitors. This advisory explains how the issue works, who is at risk, detection techniques, immediate and long‑term mitigations, and containment steps you should take now.

Quick facts

  • Vulnerability: Unauthenticated Stored Cross‑Site Scripting (XSS)
  • Affected software: Master Addons for Elementor (plugin)
  • Affected versions: ≤ 2.0.6.1
  • Fixed version: 2.0.6.2 (update immediately when possible)
  • CVE: CVE‑2024‑5542
  • CVSS (v3.1): 7.2 (High / Medium depending on environment)
  • Privilege required: None (Unauthenticated)
  • Impact: Script execution in the context of visitors (stored XSS), possible theft of cookies/tokens, forced actions, iFrame injection, or pivot to administrative users

What is stored XSS and why it matters

Stored Cross‑Site Scripting (XSS) occurs when an application persists attacker-supplied content and later serves it to other users without adequate sanitization or escaping. Persisted payloads execute whenever a page renders that content, making stored XSS more dangerous than transient (reflected) variants.

Why this is dangerous:

  • Persistence: Payloads execute on every page load that includes the stored content.
  • Wide exposure: Common components such as menus and widgets can expose many visitors.
  • Elevated targets: If administrators view an infected page while logged in, the payload can access privileged cookies or tokens and escalate the attack.
  • Data theft & account takeover: JavaScript can exfiltrate session cookies, auth tokens, or perform actions on behalf of the user.
  • SEO and reputation damage: Injected code can deliver spam, redirects, or malware, harming rankings and user trust.

Because the reported issue is unauthenticated stored XSS, the attacker need not have an account to persist malicious content — making prompt remediation essential.

The Master Addons Navigation Menu widget issue — technical summary

Summary of the vulnerability based on public disclosure and technical analysis:

  • The plugin exposes a Navigation Menu widget that accepts content for rendering menus (labels, links, settings).
  • An endpoint handling widget/menu settings allowed unauthenticated HTTP requests to submit data that is stored by the plugin, due to missing or insufficient authorization checks.
  • Submitted data (for example, a menu item label) was insufficiently sanitized/escaped when output in the front‑end, resulting in script execution in visitors’ browsers.
  • Because the XSS is stored, the malicious payload persists until removed or overwritten.

Typical vulnerable pattern (conceptual):

  1. An endpoint accepts a POST/REST/AJAX payload containing menu text / widget settings and writes it to the database without verifying the submitting user’s capabilities.
  2. The plugin outputs those values in the page markup without appropriate escaping or sanitization.
  3. The browser executes the injected script when the page is rendered.

The plugin author released a fix in version 2.0.6.2 to implement proper authorization checks and sanitize output. Apply this update as soon as operationally possible.

Who is at risk and possible impacts

At risk:

  • Any WordPress site running Master Addons for Elementor at version ≤ 2.0.6.1.
  • Sites with the vulnerable Navigation Menu widget active or any other widget that reuses the same vulnerable save/render path.
  • Sites with public visitors — the vulnerability targets front‑end rendering and affects all visitors and logged-in users.
  • Sites where administrators, editors, or privileged users may visit the front-end while authenticated.

Possible impacts:

  • Website visitors experiencing redirects, popups, or forced downloads.
  • Credential theft for logged-in users (cookies, CSRF tokens).
  • Account takeover of privileged users if the payload targets cookies or performs privileged actions via their session.
  • SEO spam, injected links, or malware distribution.
  • Persistent JavaScript backdoors communicating with attacker infrastructure.
  • Loss of customer trust and potential regulatory exposure if personal data is exfiltrated.

Indicators of compromise (IoCs) and what to look for now

Search for traces commonly associated with stored XSS payloads. Attackers often obfuscate, so look for anomalies rather than exact patterns alone.

Things to check immediately:

  • Unexpected menu items or labels in Appearance → Menus, or in nav menu widgets.
  • Database entries (wp_posts with post_type = ‘nav_menu_item’) containing