Elementor Addon Elements Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Parameters – CVE-2024-4401, CVE-2024-7122 | WordPress Plugin Vulnerability Report

Plugin Name: Elementor Addon Elements

Key Information:

  • Software Type: Plugin
  • Software Slug: addon-elements-for-elementor-page-builder
  • Software Status: Active
  • Software Author: webtechstreet
  • Software Downloads: 2,783,086
  • Active Installs: 100,000
  • Last Updated: September 14, 2024
  • Patched Versions: 1.13.6, 1.13.7
  • Affected Versions: <= 1.13.5, <= 1.13.6

Vulnerability 1 Details:

  • Name: Elementor Addon Elements <= 1.13.5
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-4401
  • CVSS Score: 6.4
  • Publicly Published: August 29, 2024
  • Researcher: stealthcopter
  • Description: The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the id and eae_slider_animation parameters in all versions up to and including 1.13.5. This vulnerability is caused by insufficient input sanitization and output escaping, allowing authenticated users with Contributor-level access or higher to inject arbitrary web scripts into pages. These scripts execute whenever a user accesses an injected page, leading to potential security risks such as data theft or site manipulation.

Vulnerability 2 Details:

  • Name: Elementor Addon Elements <= 1.13.6
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-7122
  • CVSS Score: 6.4
  • Publicly Published: August 29, 2024
  • Researcher: Webbernaut
  • Description: The Elementor Addon Elements plugin is also vulnerable to Stored Cross-Site Scripting (XSS) via multiple widgets in all versions up to and including 1.13.6. This issue arises from insufficient sanitization and output escaping on user-supplied attributes, making it possible for Contributor-level users and above to inject malicious web scripts that will execute when the page is viewed. This could result in similar risks, such as unauthorized data access or site manipulation.

Summary:

The Elementor Addon Elements plugin for WordPress has two vulnerabilities in versions up to and including 1.13.5 and 1.13.6. These vulnerabilities allow Contributor-level users to inject malicious scripts via the id and eae_slider_animation parameters or through multiple widgets, due to poor input sanitization and output escaping. These vulnerabilities have been patched in versions 1.13.6 and 1.13.7.

Detailed Overview:

The vulnerabilities were discovered by security researchers stealthcopter and Webbernaut and both involve Stored Cross-Site Scripting (XSS) attacks, which allow malicious scripts to be injected into web pages. The first vulnerability, identified in versions up to 1.13.5, occurs through the id and eae_slider_animation parameters. The second vulnerability, affecting versions up to 1.13.6, involves multiple widgets where user-supplied attributes are not properly sanitized.

These flaws present a significant risk, with a CVSS score of 6.4 for both. Exploiting these vulnerabilities could allow attackers to steal user data, manipulate site content, or perform unauthorized actions on the website. It’s crucial for site owners using the Elementor Addon Elements plugin to update to the patched versions immediately to prevent any potential exploits.

Advice for Users:

  • Immediate Action: Users of the Elementor Addon Elements plugin should update to versions 1.13.6 or 1.13.7 as soon as possible to mitigate these vulnerabilities. These updates patch the input sanitization and output escaping issues that led to the stored XSS risks.
  • Check for Signs of Vulnerability: Review your website’s pages and logs for signs of unusual or malicious script activity, particularly on pages that may have been accessed or edited by Contributor-level users.
  • Alternate Plugins: While the patch addresses these specific vulnerabilities, users may want to explore alternative plugins for added peace of mind. However, with the vulnerabilities patched, Elementor Addon Elements remains a viable option for managing Elementor-based elements.
  • Stay Updated: Ensure that you keep all your plugins, including Elementor Addon Elements, updated to the latest versions. Regular updates are critical for patching known vulnerabilities and protecting your site from future exploits.

Conclusion:

The quick response by the Elementor Addon Elements development team in patching these vulnerabilities underscores the importance of timely plugin updates. Website owners using this plugin are encouraged to update to version 1.13.7 or later to secure their WordPress installations against these XSS vulnerabilities. Staying proactive with updates is key to maintaining a secure website.

References:

Detailed Report: 

Keeping your WordPress website secure is essential, especially for small business owners who rely on plugins to enhance functionality and manage content. A recent discovery of vulnerabilities in the Elementor Addon Elements plugin highlights the importance of regular updates to avoid potential security risks. The plugin, which has over 2.7 million downloads and is actively used by 100,000+ sites, was found to have two vulnerabilities, CVE-2024-4401 and CVE-2024-7122, that could allow malicious actors to inject harmful scripts into your website.

These vulnerabilities are known as Stored Cross-Site Scripting (XSS), which allows Contributor-level users to inject malicious web scripts into pages through improper sanitization of user inputs. If not addressed, these flaws can lead to unauthorized data access, site manipulation, or data theft. Thankfully, the plugin’s developers have patched the issues in versions 1.13.6 and 1.13.7, but any website still running older versions remains at risk.

If you’re concerned about your site’s security or unsure if your plugin is updated, this post will walk you through the vulnerabilities, their risks, and the steps you can take to secure your site.

Risks and Potential Impacts:

Both vulnerabilities have a CVSS score of 6.4, indicating a moderate risk. If exploited, these flaws could allow Contributor-level users to inject malicious scripts that execute when pages are accessed, potentially leading to data theft, site defacement, or other unauthorized actions. For small business owners who rely on Contributor-level users to manage content, this could mean exposing sensitive data or compromising the integrity of your website.

Because these vulnerabilities involve Stored Cross-Site Scripting (XSS), the impact could be far-reaching if not resolved. Malicious scripts can remain on the site and affect multiple users over time, making it critical to address this issue promptly.

Remediation:

To secure your site, follow these steps:

  1. Immediate Action: Update the Elementor Addon Elements plugin to versions 1.13.6 or 1.13.7. These versions fix the vulnerabilities by improving input sanitization and output escaping, preventing Contributor-level users from injecting harmful scripts.
  2. Check for Signs of Vulnerability: Review your website’s pages, error logs, and access records to look for unusual activity or script injection, particularly from Contributor-level users. If you notice any suspicious behavior, take immediate action to remove harmful content.
  3. Consider Alternative Plugins: If you’re particularly concerned about security risks, you may want to explore alternative Elementor-compatible plugins with a strong track record of security. However, once updated, Elementor Addon Elements remains a reliable and safe option for enhancing your site.
  4. Stay Updated: Regularly check for updates to all your WordPress plugins, especially those that handle user-generated content or site functionality. Keeping your plugins updated is the best way to stay ahead of potential security threats.

Overview of Previous Vulnerabilities:

Since September 8, 2020, there have been 23 vulnerabilities reported in the Elementor Addon Elements plugin, all of which were addressed through timely updates by the development team. This history underscores the importance of regular updates, as even widely-used and trusted plugins can experience security issues over time. Staying current with updates helps protect your site from known vulnerabilities that could otherwise be exploited.

Conclusion:

For small business owners, managing a WordPress website can be time-consuming, and staying on top of plugin updates may seem like an additional burden. However, as the recent vulnerabilities in Elementor Addon Elements show, failing to update your plugins can expose your site to serious security risks. By keeping your plugins updated and regularly monitoring your site for potential issues, you can ensure that your website remains secure and functional.

If you don’t have time to handle updates manually, consider enabling automatic updates or working with a professional to help manage your website’s security. Staying proactive with updates is key to protecting your business and maintaining the trust of your users.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Elementor Addon Elements Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Parameters – CVE-2024-4401, CVE-2024-7122 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment