Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Gallery and Countdown Widgets – CVE-2024-7247 | WordPress Plugin Vulnerability Report
Plugin Name: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)
Key Information:
- Software Type: Plugin
- Software Slug: bdthemes-element-pack-lite
- Software Status: Active
- Software Author: bdthemes
- Software Downloads: 2,552,973
- Active Installs: 100,000
- Last Updated: August 12, 2024
- Patched Versions: 5.7.3
- Affected Versions: <= 5.7.2
Vulnerability Details:
- Name: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) <= 5.7.2
- Type: Stored Cross-Site Scripting (XSS)
- CVE: CVE-2024-7247
- CVSS Score: 6.4
- Publicly Published: August 12, 2024
- Researcher: Webbernaut
- Description: The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Custom Gallery and Countdown widgets in all versions up to, and including, 5.7.2 due to insufficient input sanitization and output escaping on user-supplied attributes. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages, which will execute whenever another user accesses the affected page.
Summary:
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress has a vulnerability in versions up to and including 5.7.2 that allows for authenticated Stored Cross-Site Scripting (XSS) attacks via the Custom Gallery and Countdown widgets. This vulnerability has been patched in version 5.6.12.
Detailed Overview:
The vulnerability in the Element Pack Elementor Addons plugin was identified by researcher Webbernaut. The issue arises from insufficient input sanitization and output escaping in the Custom Gallery and Countdown widgets. This flaw allows authenticated users with Contributor-level access or higher to inject malicious scripts into pages. These scripts can then execute whenever another user accesses the affected page, leading to unauthorized actions, data breaches, and potential further exploitation of the site.
The risks associated with this vulnerability are significant, particularly for websites with multiple contributors or those handling sensitive data. If left unpatched, it could result in unauthorized content changes, the execution of harmful scripts, and the exposure of confidential information. The plugin’s developers have responded by releasing version 5.6.12, which addresses this vulnerability by properly sanitizing and escaping the affected input fields.
Advice for Users:
- Immediate Action: Users are strongly encouraged to update to version 5.6.12 or later immediately to protect their sites from this vulnerability.
- Check for Signs of Vulnerability: Users should inspect their website for any unexpected behavior, particularly in areas where the Custom Gallery and Countdown widgets are used. If unusual activity is detected, consulting with a security expert is recommended.
- Alternate Plugins: While the patched version is available, users concerned about ongoing security may want to explore alternative Elementor addon plugins that offer similar functionality.
- Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities like this.
Conclusion:
The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 5.6.12 or later to secure their WordPress installations.
References:
- Wordfence - Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) 5.7.2 Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Gallery and Countdown Widgets
- Wordfence - Element Pack Elementor Addons Vulnerability Overview
Detailed Report:
In today’s fast-paced digital landscape, maintaining the security of your WordPress website is more critical than ever. One of the most effective ways to safeguard your site from potential threats is to ensure that all your plugins are kept up to date. Recently, a significant vulnerability was discovered in the Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin, which is widely used by many WordPress site owners. This vulnerability, identified as CVE-2024-7247, affects versions up to and including 5.7.2 and allows for authenticated Stored Cross-Site Scripting (XSS) attacks via the Custom Gallery and Countdown widgets. If left unpatched, this vulnerability could enable attackers with Contributor-level permissions or higher to inject malicious scripts into your website, potentially leading to unauthorized actions, data breaches, and further exploitation of your site.
Vulnerability Details:
The vulnerability in the Element Pack Elementor Addons plugin was identified by researcher Webbernaut. This issue arises from insufficient input sanitization and output escaping in the Custom Gallery and Countdown widgets, which are popular features used by many WordPress site owners. The flaw allows authenticated users with Contributor-level access or higher to inject arbitrary web scripts into pages, which will execute whenever another user accesses the affected page. These XSS vulnerabilities pose significant risks, including unauthorized content changes, the execution of harmful scripts, and the exposure of confidential information.
Risks and Potential Impacts:
The risks associated with this vulnerability are considerable, particularly for websites that have multiple contributors or handle sensitive data. If exploited, the vulnerability could lead to severe security breaches, including unauthorized changes to your website content, data breaches, and potentially more severe exploits that compromise the integrity of your site. For small business owners, this type of vulnerability can have devastating consequences, especially if resources are limited and there isn’t a dedicated team to monitor and manage website security.
How to Remediate the Vulnerability:
To protect your website from this vulnerability, the developers of the Element Pack Elementor Addons plugin have released version 5.7.3, which patches the issue by improving input sanitization and output escaping in the affected widgets. Here’s what you need to do:
- Immediate Action: Update your Element Pack Elementor Addons plugin to version 5.7.3 or later as soon as possible. This update is critical for securing your site against potential exploitation.
- Check for Signs of Vulnerability: Review your website for any unexpected behavior, particularly in areas where the Custom Gallery and Countdown widgets are used. If you notice anything unusual, it may be worth consulting with a security expert to conduct a thorough audit of your site.
- Consider Alternative Plugins: If you’re concerned about the security history of this plugin, you might want to explore alternative Elementor addon plugins with a stronger security record. Before making any changes, ensure that the new plugin meets your needs and is regularly updated.
- Stay Updated: Regularly checking for and applying updates to all your WordPress plugins is one of the most effective ways to protect your site from vulnerabilities. Consider enabling automatic updates or setting reminders to manually check for updates on a weekly basis.
Overview of Previous Vulnerabilities:
It’s important to note that this isn’t the first time the Element Pack Elementor Addons plugin has faced security challenges. There have been 16 previous vulnerabilities reported since February 2, 2024. While the developers have consistently addressed these issues with updates, the recurrence of vulnerabilities highlights the importance of staying vigilant and proactive in managing your website’s security.
Conclusion:
For small business owners, keeping up with security vulnerabilities can feel overwhelming, especially when you’re focused on running your business. However, the risks of neglecting website security are too significant to ignore. Regular updates, vigilant monitoring, and professional assistance when needed are all critical steps in protecting your website. By staying proactive, you can safeguard your business, your customers, and your online presence from potential threats.
If you don’t have the time or expertise to manage these updates yourself, consider hiring a professional to ensure your website remains secure and up to date. Taking these steps now can save you from potential headaches and losses in the future.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.