Elementor Addon Elements Vulnerability – Directory Traversal to Local File Inclusion – CVE-2024-1358 | WordPress Plugin Vulnerability Report
Plugin Name: Elementor Addon Elements
Key Information:
- Software Type: Plugin
- Software Slug: addon-elements-for-elementor-page-builder
- Software Status: Active
- Software Author: webtechstreet
- Software Downloads: 2,406,134
- Active Installs: 100,000
- Last Updated: February 21, 2024
- Patched Versions: 1.13
- Affected Versions: <= 1.12.12
Vulnerability 1 Details:
- Name: Elementor Addon Elements <= 1.12.12 - Directory Traversal to Local File Inclusion
- Title: Directory Traversal to Local File Inclusion
- Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CVE: CVE-2024-1358
- CVSS Score: 8.8 (High)
- Publicly Published: February 21, 2024
- Researcher: wesley (wcraft)
- Description: The Elementor Addon Elements plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.12.12 via the render function. This makes it possible for authenticated attackers, with contributor access or higher, to include the contents of arbitrary PHP files on the server, which may expose sensitive information.
Vulnerability 2 Details:
- Name: Elementor Addon Elements <= 1.12.12 - Authenticated(Contributor+) Stored Cross-Site Scripting via Modal Popup effet
- Title: Authenticated(Contributor+) Stored Cross-Site Scripting via Modal Popup effet
- Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE: CVE-2024-1422
- CVSS Score: 6.4 (Medium)
- Publicly Published: February 21, 2024
- Researcher: Webbernaut
- Description: The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the modal popup widget's effect setting in all versions up to, and including, 1.12.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Vulnerability 3 Details:
- Name: Elementor Addon Elements <= 1.12.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via Content Switcher Widget
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Content Switcher Widget
- Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE: CVE-2024-1393
- CVSS Score: 6.4 (Medium)
- Publicly Published: February 21, 2024
- Researcher: Nikolas - mdr
- Description: The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'icon_align' attribute of the Content Switcher widget in all versions up to, and including, 1.12.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Summary:
The Elementor Addon Elements for WordPress has multiple vulnerabilities in versions up to and including 1.12.12 that could allow authenticated users to access sensitive files or inject malicious scripts. These vulnerabilities have been patched in version 1.13.
Detailed Overview:
The plugin is vulnerable to a directory traversal issue that could let authenticated users access arbitrary server files. It is also susceptible to multiple stored XSS issues that could allow attackers to inject scripts into pages. These could be leveraged by authenticated users with contributor access or higher to potentially steal admin sessions, take over user accounts, or insert malicious redirects. The vulnerabilities were responsibly disclosed by multiple researchers and have CVSS scores ranging from 6.4 to 8.8.
Advice for Users:
- Immediate Action: Update to version 1.13 as soon as possible.
- Check for Signs of Vulnerability: Review web server and WordPress logs for any suspicious activity. Also check for unauthorized code or scripts on your site.
- Alternate Plugins: Consider using alternate elementor addons like Elementor Extras or PowerPack Elements.
- Stay Updated: Enable auto-updates for plugins and themes and periodically check the WordPress repository for new releases.
Conclusion:
These issues further demonstrate why keeping WordPress and plugins updated is critical. Users should install the patch immediately or seek alternate plugins that provide similar functionality without vulnerabilities.
References:
Detailed Report
Do you use the popular Elementor Addon Elements plugin to enhance your WordPress site? If so, a recently disclosed vulnerability potentially puts your site at risk until you update. This post will cover the details of the vulnerability, how it can be exploited, and why keeping WordPress and your plugins updated is so critical for security.
I know that maintaining updates is probably the last thing you want to worry about while running your small business. But outdated software is cybercriminals' best friend. Neglecting it opens the door for account takeovers, malware infections, and data theft. As a website owner myself, I get how tempting it is to take a "if it ain't broke, don't fix it" approach. However, some gaps don't cause obvious issues until it's too late.
What Does This Plugin Do?
The Elementor Addon Elements plugin powers customizations and enhancements for over 100,000 WordPress sites. It integrates additional widgets and capabilities to extend what the Elementor page builder can do.
What's the Vulnerability?
Researchers recently disclosed multiple concerning vulnerabilities impacting all Elementor Addon Elements versions up to 1.12.12. The issues stem from insufficient input sanitization and output escaping in different widget settings.
Specifically, this enables the following depending on a user's role:
- Data Exposure: Authenticated users with contributor access or higher can exploit a directory traversal bug to view sensitive server files like configs, databases, and passwords.
- Account Takeover: Contributors and administrators also have multiple avenues to achieve stored cross-site scripting (XSS). By injecting scripts into pages, they could steal admin sessions and take over accounts.
- Phishing: Visiting users could have their accounts compromised or be redirected to phishing sites trying to steal credentials.
Why This Matters
The vulnerabilities are especially concerning given the high user base and the permissions required to exploit them. Even if you fully trust all your backend users, your site could still be compromised via an account stuffing attack.
And with 10 prior vulnerabilities over the past few years, the risk of overlooked gaps is apparently real. Updates here clearly matter.
What You Can Do
Fortunately, the issues have CVSS scores ranging from 6.4 to 8.8, so they require some user interaction or prerequisites. But upgrading to version 1.13 should still be a top priority for security and peace of mind.
For site owners without the bandwidth to actively maintain plugins, enabling auto-updates is highly recommended as well. Alternate elementor addons without disclosures may also be worth considering.
Staying Secure Is a Never-Ending Task
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.