ElementsKit Elementor addons Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-1239 | WordPress Plugin Vulnerability Report
Plugin Name: ElementsKit Elementor addons
Key Information:
- Software Type: Plugin
- Software Slug: elementskit-lite
- Software Status: Active
- Software Author: xspeedstudio
- Software Downloads: 16,983,084
- Active Installs: 1,000,000
- Last Updated: March 19, 2024
- Patched Versions: 3.0.5
- Affected Versions: <= 3.0.4
Vulnerability Details:
- Name: ElementsKit Elementor addons <= 3.0.4
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-1239
- CVSS Score: 6.4
- Publicly Published: March 15, 2024
- Researcher: RandomRoot
- Description: The ElementsKit Elementor addons plugin for WordPress contains a Stored Cross-Site Scripting vulnerability in versions up to and including 3.0.4. The issue arises from inadequate input sanitization and output escaping associated with the blog post 'read more' button. This flaw allows attackers with contributor-level access or higher to inject malicious scripts into web pages, which are then executed when other users view the affected pages.
Summary:
The ElementsKit Elementor addons for WordPress exhibit a security flaw in versions up to and including 3.0.4, characterized by Stored Cross-Site Scripting via the blog post 'read more' button. This vulnerability, identified as CVE-2024-1239, has been resolved in version 3.0.5.
Detailed Overview:
Discovered by the security researcher RandomRoot, this vulnerability specifically targets the insufficient sanitization and escaping of user inputs related to the 'read more' button in blog posts. The exploit requires the attacker to have at least contributor-level access to the WordPress site, enabling them to embed malicious scripts into pages. These scripts can then perform unauthorized actions on behalf of users viewing the injected content, posing significant security risks including data theft and site compromise.
Advice for Users:
- Immediate Action: It is imperative for users to update their ElementsKit Elementor addons plugin to version 3.0.5 without delay.
- Check for Signs of Vulnerability: Administrators should review their site's pages for unusual content or scripts, particularly in blog posts, and audit user roles to ensure only trusted users have content creation privileges.
- Alternate Plugins: While the current vulnerability has been patched, users may consider exploring alternative Elementor addons that offer similar functionality, especially if frequent security concerns arise.
- Stay Updated: Regularly updating all WordPress components, including plugins and themes, is crucial for maintaining site security and preventing future vulnerabilities.
Conclusion:
The swift response from the developers of ElementsKit Elementor addons in addressing this vulnerability highlights the critical nature of maintaining up-to-date software on your WordPress site. By updating to version 3.0.5 or later, users can protect their websites from potential exploitation through this Stored Cross-Site Scripting vulnerability.
References:
- Wordfence Vulnerability Report on ElementsKit Elementor addons
- Wordfence Threat Intel on ElementsKit Elementor addons Vulnerabilities