Elementor Addons by Livemesh Vulnerability – Authenticated Stored Cross-Site Scripting Vulnerabilities – CVE-2024-2539 & CVE-2024-2655 | WordPress Plugin Vulnerability Report
Plugin Name: Elementor Addons by Livemesh
Key Information:
- Software Type: Plugin
- Software Slug: addons-for-elementor
- Software Status: Active
- Software Author: livemesh
- Software Downloads: 3,814,639
- Active Installs: 60,000
- Last Updated: April 16, 2024
- Patched Versions: 8.3.7
- Affected Versions: <= 8.3.6
Vulnerability 1 Details:
- Name: Elementor Addons by Livemesh <= 8.3.6
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting via widget _id attribute
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-2539
- CVSS Score: 6.4
- Publicly Published: April 9, 2024
- Researcher: Ngô Thiên An (ancorn_) - VNPT-VCI
- Description: The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widget '_id' attributes in all versions up to, and including, 8.3.6 due to insufficient input sanitization and output escaping on user-supplied attributes. This vulnerability allows authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Vulnerability 2 Details:
- Name: Elementor Addons by Livemesh <= 8.3.6
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Display Name
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-2655
- CVSS Score: 6.4
- Publicly Published: April 9, 2024
- Researcher: stealthcopter
- Description: The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Post widgets in all versions up to, and including, 8.3.5 due to insufficient input sanitization and output escaping on author display names. This vulnerability allows authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts that execute whenever a user accesses an injected page.
Summary:
The Elementor Addons by Livemesh plugin for WordPress has vulnerabilities in versions up to and including 8.3.6 that allow authenticated users with contributor access or higher to perform stored cross-site scripting attacks via both widget _id attributes and display names. These vulnerabilities have been patched in version 8.3.7.
Detailed Overview:
The vulnerabilities in the Elementor Addons by Livemesh plugin pose significant security risks, potentially allowing attackers to execute malicious scripts, steal user data, or take over user sessions. These flaws were identified in two different components of the plugin: widget '_id' attributes and display names in post widgets. The patches in version 8.3.7 address these issues by improving input sanitization and output escaping, crucial steps in protecting against XSS attacks.
Advice for Users:
- Immediate Action: Update your Elementor Addons by Livemesh plugin to version 8.3.7 immediately to secure your website.
- Check for Signs of Vulnerability: Regularly review your website’s pages and logs for any signs of unauthorized script injections or other suspicious activities.
- Alternate Plugins: Consider using alternative plugins that provide similar functionality but with a robust security track record as a precaution.
- Stay Updated: Consistently keeping your plugins updated to the latest versions is key to minimizing the risk of security vulnerabilities.
Conclusion:
The swift action by the developers of Elementor Addons by Livemesh in releasing a security patch demonstrates the critical importance of maintaining current updates. Users are advised to upgrade to version 8.3.7 or later to ensure the security of their WordPress installations against these XSS vulnerabilities.
References:
- Wordfence Vulnerability Report for Elementor Addons by Livemesh
- Wordfence Vulnerabilities Directory for Elementor Addons
Detailed Report:
As the digital landscape evolves, so do the strategies of cyber attackers, making the task of keeping a website secure increasingly challenging. The recent discovery of vulnerabilities in the Elementor Addons by Livemesh—a popular WordPress plugin with over 3.8 million downloads—serves as a stark reminder of why constant vigilance is essential. These vulnerabilities, identified in versions up to and including 8.3.6, could allow attackers to perform stored cross-site scripting (XSS) attacks, exploiting website elements like widget '_id' attributes and author display names to inject harmful scripts.
Vulnerability Insights:
Two significant vulnerabilities were publicized on April 9, 2024, affecting the Elementor Addons by Livemesh plugin:
- CVE-2024-2539: Stored Cross-Site Scripting via widget '_id' attributes allows authenticated attackers with contributor-level access and above to inject web scripts that execute on user visits.
- CVE-2024-2655: Similar XSS vulnerability through the plugin's Post widgets’ display names, posing threats of unauthorized data manipulation or access.
Risks and Impacts:
These vulnerabilities expose websites to several risks, including data theft, unauthorized session control, and a damaged reputation due to compromised user security. The potential for these exploits highlights the critical nature of web security and the impact on business continuity and trust.
Historical Vulnerabilities:
Since its release, the Elementor Addons by Livemesh plugin has experienced 14 documented vulnerabilities. This historical context emphasizes the need for ongoing updates and security practices.
Conclusion:
The swift response by the developers of Elementor Addons by Livemesh in releasing a security patch demonstrates the critical importance of maintaining current updates. Regular software updates are essential defenses against potential breaches, and staying informed through security advisories can preempt significant crises. For small business owners, leveraging tools that automate these processes can help maintain security without requiring constant attention.
In an era where digital presence is intertwined with business success, ensuring the integrity of your online platforms through proactive security measures isn’t just recommended; it’s imperative. By understanding the risks and adopting a rigorous security protocol, you can protect not only your data but also the trust your customers place in your digital hands.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.