Elementor Addon Elements Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-3743 | WordPress Plugin Vulnerability Report
Plugin Name: Elementor Addon Elements
Key Information:
- Software Type: Plugin
- Software Slug: addon-elements-for-elementor-page-builder
- Software Status: Active
- Software Author: webtechstreet
- Software Downloads: 2,632,773
- Active Installs: 100,000
- Last Updated: May 12, 2024
- Patched Versions: 1.13.4
- Affected Versions: <= 1.13.3
Vulnerability Details:
- Name: Elementor Addon Elements <= 1.13.3
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-3743
- CVSS Score: 6.4
- Publicly Published: April 29, 2024
- Researcher: stealthcopter
- Description: The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Stack Group, Shape Separator, Content Switcher, Info Circle, and Timeline widgets in all versions up to, and including, 1.13.3 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Summary:
The Elementor Addon Elements plugin for WordPress has a vulnerability in versions up to and including 1.13.3 that enables authenticated contributors to inject malicious scripts into web pages. This vulnerability has been patched in version 1.13.4.
Detailed Overview:
This vulnerability was discovered by the researcher known as stealthcopter and involves multiple widgets within the Elementor Addon Elements plugin. It specifically targets the plugin’s handling of input sanitization and output escaping, allowing attackers to store malicious scripts in the widgets such as Image Stack Group, Shape Separator, Content Switcher, Info Circle, and Timeline. These scripts can compromise the security of the website by executing unauthorized actions or stealing data when other users view the compromised pages. The release of version 1.13.4 has addressed these issues by improving the security measures related to input handling.
Advice for Users:
- Immediate Action: Update to version 1.13.4 immediately to secure your site against this vulnerability.
- Check for Signs of Vulnerability: Administrators should review their site’s pages for unexpected scripts or content alterations that could indicate this vulnerability has been exploited.
- Alternate Plugins: While the latest patch addresses the current vulnerability, users may want to consider other well-reviewed and frequently updated plugins that offer similar functionality to ensure enhanced security.
- Stay Updated: Always ensure that your plugins are updated to the latest versions to minimize the risk of security vulnerabilities.
Conclusion:
The quick response by the developers of Elementor Addon Elements to patch this vulnerability highlights the critical importance of keeping digital tools updated. Users are advised to ensure that they are running version 1.13.4 or later to protect their WordPress installations from potential security threats. Regular updates and vigilant security practices are essential in maintaining the safety and integrity of any WordPress site.
References:
- Wordfence Threat Intelligence on Elementor Addon Elements
- More on Vulnerabilities in Elementor Addon Elements
Detailed Report:
In the digital age, a secure website is not just a luxury; it's a necessity. For countless businesses and individual creators, WordPress serves as the backbone of their online presence, enhanced greatly by a myriad of plugins like Elementor Addon Elements. However, this dependency on plugins also brings with it significant security risks, as highlighted by the recent discovery of a serious vulnerability in the Elementor Addon Elements plugin—CVE-2024-3743. This flaw, characterized by a Stored Cross-Site Scripting (XSS) vulnerability, has put numerous websites at risk of data breaches and unauthorized access.
Detailed Overview:
This vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page. These scripts can compromise the security of the website by executing unauthorized actions or stealing data when triggered. This serious flaw was promptly addressed in the release of version 1.13.4, which implemented improved security measures to prevent such vulnerabilities.
Risks and Potential Impacts:
The risks associated with this vulnerability are considerable. Unauthorized scripts could potentially manipulate data, steal sensitive information, or redirect visitors to malicious sites. For businesses, such exposure could lead to significant reputational damage, loss of customer trust, and potential legal implications if customer data were compromised.
Overview of Previous Vulnerabilities:
Since September 8, 2020, the Elementor Addon Elements plugin has encountered 19 previous vulnerabilities, highlighting the ongoing challenge of maintaining security in dynamically evolving digital environments.
Conclusion:
The quick and effective response by the developers of Elementor Addon Elements to patch the CVE-2024-3743 vulnerability underscores the critical importance of timely updates in the realm of digital security. For small business owners managing WordPress sites, it is particularly vital to stay informed about potential vulnerabilities and ensure that all digital tools are kept up to date. Proactive security measures are not just a technical necessity but a cornerstone of maintaining a trustworthy and secure online presence.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.