ElementsKit Elementor addons and Templates Library Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Image Accordion Widget – CVE-2024-3650 | WordPress Plugin Vulnerability Report

Plugin Name: ElementsKit Elementor addons and Templates Library

Key Information:

  • Software Type: Plugin
  • Software Slug: elementskit-lite
  • Software Status: Active
  • Software Author: xpeedstudio
  • Software Downloads: 19,230,464
  • Active Installs: 1,000,000
  • Last Updated: May 13, 2024
  • Patched Versions: 3.1.3
  • Affected Versions: 3.0.7 - 3.1.2

Vulnerability Details:

  • Name: ElementsKit Elementor addons 3.0.7 - 3.1.2
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Image Accordion Widget
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-3650
  • CVSS Score: 6.4
  • Publicly Published: April 30, 2024
  • Researcher: wesley
  • Description: The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the Image Accordion widget in all versions from 3.0.7 to 3.1.2 due to insufficient input sanitization and output escaping. This allows authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page.

Summary:

The ElementsKit Elementor addons and Templates Library for WordPress has a vulnerability in versions from 3.0.7 to 3.1.2 that enables attackers with contributor-level access to execute stored cross-site scripting via the Image Accordion widget. This vulnerability has been patched in version 3.1.3.

Detailed Overview:

This vulnerability allows attackers to embed malicious scripts into web pages via the Image Accordion widget, which are then executed by users’ browsers when visiting these pages. The issue stems from inadequate security measures in input handling and output rendering within the widget. The potential risks include unauthorized actions performed on behalf of users, data theft, and propagation of malware. To address this vulnerability, developers have introduced stricter input sanitization and output escaping mechanisms in the patched version.

Advice for Users:

  • Immediate Action: Update to the patched version, 3.1.3, immediately to close the security gap.
  • Check for Signs of Vulnerability: Administrators should examine their websites for any unusual scripts or unexpected behavior, especially in pages that feature the Image Accordion widget.
  • Alternate Plugins: While the patched version is secure, exploring other well-maintained plugins offering similar functionality may provide additional safety nets.
  • Stay Updated: Keeping all plugins updated to the latest versions is essential to minimize exposure to vulnerabilities.

Conclusion:

The prompt update released by xpeedstudio to patch this significant vulnerability highlights the critical importance of regular software updates as a cybersecurity measure. It is vital for all users of the ElementsKit Elementor addons and Templates Library to update to version 3.1.3 or later to secure their WordPress installations against potential exploits.

References:

Detailed Report: 

In the ever-evolving digital world, the security of your website cannot be taken for granted. Each software update serves not just as an upgrade but as a necessary fortification against emerging threats. This is vividly illustrated by a recent discovery in the ElementsKit Elementor addons and Templates Library, a widely-used WordPress plugin, which was found to harbor a critical vulnerability. Identified as CVE-2024-3650, this flaw exposes websites to Stored Cross-Site Scripting (XSS) attacks through its Image Accordion widget, affecting versions 3.0.7 to 3.1.2.

Details of the Vulnerability:

The vulnerability, tagged as CVE-2024-3650, was publicly announced on April 30, 2024, by a researcher named Wesley. It affects the Image Accordion widget of the ElementsKit plugin, where insufficient input sanitization and output escaping made it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts execute whenever a user accesses an infected page, posing risks such as unauthorized actions, data theft, and malware propagation.

Risks and Potential Impacts:

Such vulnerabilities underscore the peril of neglecting regular updates; they create openings that can be exploited by attackers to conduct unauthorized activities. These activities can compromise sensitive information, hijack user sessions, and even lead to further malware infections that can spread across entire networks.

Remediation Steps:

  1. Update Immediately: Update the ElementsKit Elementor addons and Templates Library to version 3.1.3, where the vulnerability has been addressed.
  2. Check for Signs of Compromise: Web administrators should scan their sites for unexpected scripts or behaviors, especially on pages featuring the Image Accordion widget.
  3. Stay Informed and Prepared: Regularly review update logs and security bulletins for your installed plugins.

Previous Vulnerabilities:

This plugin has seen 10 vulnerabilities reported since April 13, 2021, highlighting an ongoing battle against security threats in widely used software.

Conclusion:

The prompt update released by xpeedstudio to patch this significant vulnerability highlights the critical importance of regular software updates as a cybersecurity measure. For small business owners managing WordPress websites, it is vital to ensure that all software components, including plugins and themes, are regularly updated. Automating these updates, where possible, and utilizing managed WordPress hosting services can reduce the burden while enhancing security. Staying proactive and educated about potential vulnerabilities can significantly mitigate risks and safeguard your online presence against emerging threats.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

ElementsKit Elementor addons and Templates Library Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Image Accordion Widget – CVE-2024-3650 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment