Elementor Addon Elements Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-2091 |WordPress Plugin Vulnerability Report
Plugin Name: Elementor Addon Elements
Key Information:
- Software Type: Plugin
- Software Slug: addon-elements-for-elementor-page-builder
- Software Status: Active
- Software Author: webtechstreet
- Software Downloads: 2,523,308
- Active Installs: 100,000
- Last Updated: March 26, 2024
- Patched Versions: 1.13.2
- Affected Versions: <= 1.13.1
Vulnerability Details:
- Name: Elementor Addon Elements <= 1.13.1 Authenticated (Contributor+) Stored Cross-Site Scripting
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- CVE: CVE-2024-2091
- CVSS Score: 5.4
- Publicly Published: March 26, 2024
- Researcher: Wesley
- Description: The Elementor Addon Elements plugin, a popular extension for the Elementor Page Builder, has been identified as vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to 1.13.1. This vulnerability stems from the plugin's lack of proper input sanitization and output escaping, enabling attackers with contributor-level access or higher to inject harmful scripts into web pages, which are then executed when accessed by unsuspecting users.
Summary:
The Elementor Addon Elements plugin for WordPress harbors a significant security flaw in versions up to and including 1.13.1, exposing sites to potential Stored Cross-Site Scripting attacks. This vulnerability, addressed in version 1.13.2, underscores the importance of maintaining up-to-date security measures within WordPress plugins.
Detailed Overview:
Discovered by the security researcher Wesley, this XSS vulnerability within the Elementor Addon Elements plugin presents a clear and present danger to WordPress sites using affected versions. By exploiting the insufficient input sanitization of the plugin's widgets, authenticated users with sufficient permissions can embed arbitrary scripts into pages. Such scripts could compromise user data, hijack sessions, or redirect users to malicious sites, highlighting the critical nature of this vulnerability.
Advice for Users:
- Immediate Action: Users of the Elementor Addon Elements plugin should promptly update to the patched version 1.13.2 to mitigate the risk posed by this vulnerability.
- Check for Signs of Vulnerability: Site administrators are encouraged to review their sites for unusual content changes or unexpected script executions, indicative of a potential XSS exploit.
- Alternate Plugins: While the latest patch rectifies the XSS vulnerability, users may consider alternative Elementor addons that offer similar functionality but with a robust security track record as an added precaution.
- Stay Updated: Ensuring that all WordPress themes, plugins, and the core system are up to date is paramount in safeguarding against known vulnerabilities and enhancing site security.
Conclusion:
The swift response by the developers of the Elementor Addon Elements plugin in releasing a patch for the XSS vulnerability highlights the critical role of ongoing vigilance and timely updates in the digital landscape. By adhering to best practices for security, including regular updates and thorough site monitoring, WordPress site owners can significantly mitigate the risk of exploitation and ensure a secure environment for their users.
References:
- Wordfence Vulnerability Report on Elementor Addon Elements
- General Wordfence Vulnerability Database for Elementor Addon Elements