Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) Vulnerability – Multiple Authenticated (Contributor+) Stored Cross-Site Scripting Vulnerabilities – CVE-2024-5554, CVE-2024-5555 | WordPress Plugin Vulnerability Report

Plugin Name: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows)

Key Information:

  • Software Type: Plugin
  • Software Slug: bdthemes-element-pack-lite
  • Software Status: Active
  • Software Author: bdthemes
  • Software Downloads: 2,552,973
  • Active Installs: 100,000
  • Last Updated: August 12, 2024
  • Patched Versions: 5.6.12, 5.6.6
  • Affected Versions: <= 5.6.11, <= 5.6.5

Vulnerability 1 Details:

  • Name: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) <= 5.6.11
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting
  • Type: Stored Cross-Site Scripting (XSS)
  • CVE: CVE-2024-5554
  • CVSS Score: 6.4
  • Publicly Published: July 17, 2024
  • Researcher: wesley (wcraft)
  • Description: The Element Pack Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘onclick_event’ parameter in all versions up to, and including, 5.6.11 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into pages that will execute whenever a user accesses an affected page.

Vulnerability 2 Details:

  • Name: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) <= 5.6.5
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting
  • Type: Stored Cross-Site Scripting (XSS)
  • CVE: CVE-2024-5555
  • CVSS Score: 6.4
  • Publicly Published: July 17, 2024
  • Researcher: João Pedro Soares de Alcântara - Kinorth
  • Description: The Element Pack Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘social-link-title’ parameter in all versions up to, and including, 5.6.5 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into pages that will execute whenever a user accesses an affected page.

Summary:

The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress has multiple vulnerabilities in versions up to and including 5.6.11 and 5.6.5 that allow for authenticated Stored Cross-Site Scripting (XSS) attacks. These vulnerabilities have been patched in versions 5.6.12 and 5.6.6, respectively.

Detailed Overview:

The vulnerabilities in the Element Pack Elementor Addons plugin were identified by researchers wesley (wcraft) and João Pedro Soares de Alcântara (Kinorth). These vulnerabilities are due to insufficient input sanitization and output escaping in the ‘onclick_event’ and ‘social-link-title’ parameters. Authenticated users with Contributor-level access or higher can exploit these flaws by injecting malicious scripts into pages, which then execute whenever another user accesses the affected page. These XSS vulnerabilities pose significant risks, including unauthorized content changes, data breaches, and potential further exploitation.

The plugin developers have released versions 5.6.12 and 5.6.6 to address these issues, enhancing the security by properly sanitizing and escaping user inputs to prevent such attacks.

Advice for Users:

  • Immediate Action: Users are strongly encouraged to update to versions 5.6.12 or 5.6.6 or later immediately to protect their sites from these vulnerabilities.
  • Check for Signs of Vulnerability: Users should review their site for any unexpected behavior, particularly in areas where the ‘onclick_event’ and ‘social-link-title’ parameters are used. If anything unusual is detected, consider consulting with a security expert.
  • Alternate Plugins: While the patched versions are available, users concerned about ongoing security may want to explore alternative Elementor addon plugins.
  • Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities like these.

Conclusion:

The prompt response from the plugin developers to patch these vulnerabilities underscores the importance of timely updates. Users are advised to ensure that they are running versions 5.6.12 or 5.6.6 or later to secure their WordPress installations.

References:

Detailed Report: 

In today’s digital landscape, ensuring the security of your WordPress website is crucial. One of the most important steps you can take to protect your site from potential threats is to keep all your plugins up to date. Recently, multiple vulnerabilities were discovered in the widely used Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin. These vulnerabilities, affecting versions up to and including 5.6.11 and 5.6.5, allow for authenticated Stored Cross-Site Scripting (XSS) attacks. If left unpatched, these vulnerabilities could expose your website to unauthorized content changes, data breaches, and further exploitation by malicious actors.

Vulnerability Details:

The vulnerabilities in the Element Pack Elementor Addons plugin were identified by researchers wesley (wcraft) and João Pedro Soares de Alcântara (Kinorth). These vulnerabilities are due to insufficient input sanitization and output escaping in the ‘onclick_event’ and ‘social-link-title’ parameters. Authenticated users with Contributor-level access or higher can exploit these flaws by injecting malicious scripts into pages, which then execute whenever another user accesses the affected page.

Risks and Potential Impacts:

The risks associated with these vulnerabilities are significant, particularly for small business owners who may not have the resources or time to continuously monitor their website for security issues. If exploited, these vulnerabilities could allow attackers to inject harmful scripts into your website, leading to unauthorized content changes, data breaches, and potential harm to your business’s reputation. Given the widespread use of the Element Pack Elementor Addons plugin, these vulnerabilities could impact a large number of websites, increasing the urgency to address these issues.

How to Remediate the Vulnerability:

To protect your website from these vulnerabilities, the developers of the Element Pack Elementor Addons plugin have released versions 5.6.12 and 5.6.6, which patch these issues by improving input sanitization and output escaping across all affected fields. Here’s what you need to do:

  1. Immediate Action: Update your Element Pack Elementor Addons plugin to versions 5.6.12 or 5.6.6 or later as soon as possible. This update is crucial for securing your site against potential exploitation.
  2. Check for Signs of Vulnerability: Review your website for any unexpected behavior, particularly in areas where the ‘onclick_event’ and ‘social-link-title’ parameters are used. If you notice anything unusual, it may be worth consulting with a security expert to conduct a thorough audit.
  3. Consider Alternative Plugins: If you are concerned about the security history of this plugin, you may want to explore alternative Elementor addon plugins with a stronger security record. Ensure that any new plugin you choose meets your needs and is regularly updated.
  4. Stay Updated: Regularly checking for and applying updates to all your WordPress plugins is one of the most effective ways to protect your site from vulnerabilities. Consider enabling automatic updates or setting a reminder to manually check for updates weekly.

Overview of Previous Vulnerabilities:

It’s important to note that this isn’t the first time the Element Pack Elementor Addons plugin has faced security challenges. There have been 13 previous vulnerabilities reported since February 2, 2024. While the developers have consistently addressed these issues with updates, the recurrence of vulnerabilities highlights the importance of staying vigilant and proactive in your website’s security management.

Conclusion:

For small business owners, keeping up with security vulnerabilities can be overwhelming, especially when you’re focused on running your business. However, the risks of neglecting website security are too significant to ignore. Regular updates, vigilant monitoring, and professional assistance when needed are all critical steps in protecting your website. By staying proactive, you can safeguard your business, your customers, and your online presence from potential threats.

If you don’t have the time or expertise to manage these updates yourself, consider hiring a professional to ensure your website remains secure and up to date. Taking these steps now can save you from potential headaches and losses in the future.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) Vulnerability – Multiple Authenticated (Contributor+) Stored Cross-Site Scripting Vulnerabilities – CVE-2024-5554, CVE-2024-5555 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment