CVE-2024-51682: WordPress HT Builder – WordPress Theme Builder for Elementor plugin <= 1.3.0 - Stored Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HasThemes HT Builder – WordPress Theme Builder for Elementor ht-builder allows Stored XSS.This issue affects HT Builder – WordPress Theme Builder for Elementor: from n/a through <= 1.3.0.
Security readout for executives and security teams
Plain-English summary
This is a stored cross-site scripting flaw in the WordPress HT Builder plugin for Elementor. A user with some site access could store script content that later runs in another user's browser, potentially exposing session data or changing page behavior.
Executive priority
Treat as a moderate website security issue. Prioritize internet-facing WordPress sites, especially those with multiple content editors or client-managed accounts, but do not treat as emergency active exploitation based on the provided evidence.
Technical view
CVE-2024-51682 is CWE-79 in HasThemes HT Builder through version 1.3.0. The CVSS 3.1 score is 6.5 with network access, low complexity, low privileges required, user interaction required, and changed scope.
Likely exposure
Exposure is limited to WordPress sites using HT Builder – WordPress Theme Builder for Elementor version 1.3.0 or earlier. Risk is higher where untrusted or lightly trusted users can edit builder content.
Exploitation context
The source bundle does not show CISA KEV listing or active exploitation. The CVSS vector indicates exploitation requires a low-privileged authenticated user and a victim interaction, consistent with stored XSS risk.
Researcher notes
The bundle identifies affected versions through 1.3.0 but does not include vulnerable parameters, proof-of-concept details, or a named fixed release. Avoid assuming exploit availability or remediation specifics beyond vendor guidance.
Mitigation direction
Inventory WordPress sites for the ht-builder plugin and version.
Check HasThemes and Patchstack guidance for a fixed version or official mitigation.
Update the plugin if a vendor-supported fixed version is available.
Restrict content editing privileges to trusted users until remediated.
Consider disabling the plugin where it is unused or risk is unacceptable.
Validation and detection
Confirm whether HT Builder is installed on each WordPress site.
Record plugin versions and flag installations at 1.3.0 or earlier.
Review editor, author, contributor, and admin role assignments.
Check security tooling for stored XSS alerts tied to builder content.
Verify remediation by confirming the plugin is updated, removed, or formally accepted.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-79 · source CWE mapping
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.