Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-4643 | WordPress Plugin Vulnerability Report

Plugin Name: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)

Key Information:

  • Software Type: Plugin
  • Software Slug: bdthemes-element-pack-lite
  • Software Status: Active
  • Software Author: bdthemes
  • Software Downloads: 2,552,973
  • Active Installs: 100,000
  • Last Updated: August 12, 2024
  • Patched Versions: 5.6.12
  • Affected Versions: <= 5.6.11

Vulnerability Details:

  • Name: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) <= 5.6.11
  • Type: Stored Cross-Site Scripting (XSS)
  • CVE: CVE-2024-4643
  • CVSS Score: 6.4
  • Publicly Published: August 1, 2024
  • Researcher: Webbernaut
  • Description: The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘end_redirect_link’ parameter in versions up to, and including, 5.6.11 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages, which will execute whenever another user accesses the affected page.

Summary:

The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress has a vulnerability in versions up to and including 5.6.11 that allows for authenticated Stored Cross-Site Scripting (XSS) attacks. This vulnerability has been patched in version 5.6.12.

Detailed Overview:

The vulnerability in the Element Pack Elementor Addons plugin was identified by researcher Webbernaut. The issue stems from insufficient input sanitization and output escaping in the ‘end_redirect_link’ parameter. This flaw allows authenticated users with contributor-level access or higher to inject malicious scripts into the site. These scripts can then execute whenever another user accesses the affected page, potentially leading to unauthorized actions, data breaches, and further exploitation of the site.

The risks associated with this vulnerability are significant, especially for websites with multiple contributors or those handling sensitive data. If left unpatched, it could result in unauthorized content changes, the execution of harmful scripts, and the exposure of confidential information. The plugin’s developers have responded by releasing version 5.6.12, which addresses this vulnerability by properly sanitizing and escaping the affected input fields.

Advice for Users:

  • Immediate Action: Users are strongly encouraged to update to version 5.6.12 or later immediately to protect their sites from this vulnerability.
  • Check for Signs of Vulnerability: Users should inspect their website for any unexpected behavior, particularly in areas where the ‘end_redirect_link’ parameter is used. If unusual activity is detected, consulting with a security expert is recommended.
  • Alternate Plugins: While the patched version is available, users concerned about ongoing security may want to explore alternative Elementor addon plugins that offer similar functionality.
  • Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities like this.

Conclusion:

The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 5.6.12 or later to secure their WordPress installations.

References:

Detailed Report: 

In today’s fast-paced digital world, maintaining the security of your WordPress website is critical. One of the most important steps you can take to protect your site from potential threats is to ensure that all your plugins are kept up to date. Recently, a serious vulnerability was discovered in the popular Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin. This vulnerability, identified as CVE-2024-4643, affects versions up to and including 5.6.11 and allows for authenticated Stored Cross-Site Scripting (XSS) attacks. If left unpatched, this flaw could enable attackers with contributor-level permissions or higher to inject malicious scripts into your website, potentially leading to unauthorized actions, data breaches, and further exploitation of your site.

Vulnerability Details:

The vulnerability in the Element Pack Elementor Addons plugin was identified by researcher Webbernaut. The issue stems from insufficient input sanitization and output escaping in the ‘end_redirect_link’ parameter. This flaw allows authenticated users with contributor-level access or higher to inject arbitrary web scripts into pages, which will then execute whenever another user accesses the affected page. These XSS vulnerabilities pose significant risks, including unauthorized content changes, the execution of harmful scripts, and the exposure of confidential information.

Risks and Potential Impacts:

The risks associated with this vulnerability are considerable, especially for websites that have multiple contributors or handle sensitive data. If exploited, the vulnerability could lead to serious security breaches, including unauthorized changes to your website content, data breaches, and potentially more severe exploits that compromise the integrity of your site. This is particularly concerning for small business owners who may not have the resources to constantly monitor and manage their website’s security.

How to Remediate the Vulnerability:

To protect your website from this vulnerability, the developers of the Element Pack Elementor Addons plugin have released version 5.6.12, which patches the issue by improving input sanitization and output escaping in the affected parameters. Here’s what you should do:

  1. Immediate Action: Update your Element Pack Elementor Addons plugin to version 5.6.12 or later as soon as possible. This update is critical to securing your site against potential exploitation.
  2. Check for Signs of Vulnerability: Review your website for any unexpected behavior, particularly in areas where the ‘end_redirect_link’ parameter is used. If you notice anything unusual, it’s advisable to consult with a security expert to conduct a thorough audit of your site.
  3. Consider Alternative Plugins: If you’re concerned about the security history of this plugin, you might want to explore alternative Elementor addon plugins with a stronger security track record. Before making any changes, ensure that the new plugin meets your site’s needs and is regularly updated.
  4. Stay Updated: Regularly checking for and applying updates to all your WordPress plugins is one of the most effective ways to protect your site from vulnerabilities. Consider enabling automatic updates or setting reminders to manually check for updates on a weekly basis.

Overview of Previous Vulnerabilities:

It’s worth noting that this isn’t the first time the Element Pack Elementor Addons plugin has faced security challenges. There have been 13 previous vulnerabilities reported since February 2, 2024. While the developers have consistently addressed these issues with updates, the recurrence of vulnerabilities highlights the importance of staying vigilant and proactive in managing your website’s security.

Conclusion:

For small business owners, keeping up with security vulnerabilities can feel overwhelming, especially when you’re focused on running your business. However, the risks of neglecting website security are too significant to ignore. Regular updates, vigilant monitoring, and professional assistance when needed are all critical steps in protecting your website. By staying proactive, you can safeguard your business, your customers, and your online presence from potential threats.

If you don’t have the time or expertise to manage these updates yourself, consider hiring a professional to ensure your website remains secure and up to date. Taking these steps now can save you from potential headaches and losses in the future.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-4643 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment