Essential Addons for Elementor Vulnerabilities- Authenticated Stored Cross-Site Scripting – CVE-2024-0586 & CVE-2024-0585 | WordPress Plugin Vulnerability Report
Plugin Name: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
Key Information:
- Software Type: Plugin
- Software Slug: essential-addons-for-elementor-lite
- Software Status: Active
- Software Author: wpdevteam
- Software Downloads: 64,711,817
- Active Installs: 2,000,000
- Last Updated: January 17, 2024
- Patched Versions: 5.9.5
- Affected Versions: <= 5.9.4
Vulnerability Details - Section 1:
- Name: Essential Addons for Elementor <= 5.9.4
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Login/Register Element
- Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
- CVE: CVE-2024-0586
- CVSS Score: 6.5
- Publicly Published: January 17, 2024
- Researcher: Webbernaut
- Description: Vulnerability in the Login/Register Element due to insufficient sanitization of the custom login URL, allowing contributor-level attackers to inject web scripts.
Vulnerability Details - Section 2:
- Name: Essential Addons for Elementor <= 5.9.4
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Image URL
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- CVE: CVE-2024-0585
- CVSS Score: 5.4
- Publicly Published: January 17, 2024
- Researcher: Webbernaut
- Description: Vulnerability in the Filterable Gallery widget due to insufficient sanitization of the Image URL, enabling contributor-level attackers to execute scripts.
Summary:
The Essential Addons for Elementor plugin for WordPress has vulnerabilities in versions up to and including 5.9.4, identified as CVE-2024-0586 and CVE-2024-0585. These vulnerabilities allow authenticated Stored Cross-Site Scripting via the Login/Register Element and the Filterable Gallery widget's Image URL. Both vulnerabilities have been patched in version 5.9.5.
Detailed Overview:
Researcher Webbernaut identified two significant vulnerabilities in the Essential Addons for Elementor plugin. The first, CVE-2024-0586, affects the Login/Register Element, where insufficient sanitization of the custom login URL can lead to script injection. The second, CVE-2024-0585, targets the Filterable Gallery widget's Image URL, which also lacks adequate sanitization. Both vulnerabilities allow attackers with contributor-level access to inject harmful scripts, posing a risk to website security and user data. The developers have addressed these issues in the recently released version 5.9.5.
Advice for Users:
- Immediate Action: Users are encouraged to update to version 5.9.5 immediately.
- Check for Signs of Vulnerability: Monitor your website for any unusual activities or unauthorized script executions.
- Alternate Plugins: Consider using alternative Elementor add-ons as a precaution.
- Stay Updated: Regularly update your plugins to the latest versions to minimize vulnerability risks.
Conclusion:
The prompt response from the developers of Essential Addons for Elementor to patch these vulnerabilities highlights the importance of timely software updates. Users are advised to ensure that they are running version 5.9.5 or later to protect their WordPress installations from these security threats.
References:
- Wordfence Vulnerability Report on Essential Addons for Elementor - CVE-2024-0586
- Wordfence Vulnerability Report on Essential Addons for Elementor - CVE-2024-0585
Introduction
In today's digital landscape, where websites serve as pivotal platforms for businesses and communication, maintaining robust website security is critical. The recent identification of vulnerabilities in the Essential Addons for Elementor plugin, marked as CVE-2024-0586 and CVE-2024-0585, underscores the continuous vigilance required in the realm of digital security. These vulnerabilities emphasize the vital importance of keeping your website's components updated to protect against potential cyber threats.
Plugin Overview
Essential Addons for Elementor, developed by wpdevteam, is a highly popular plugin within the WordPress ecosystem, boasting over 64 million downloads and 2 million active installations. This plugin enhances WordPress sites with diverse templates, widgets, kits, and WooCommerce builders, making it an indispensable tool for many users.
Risks and Potential Impacts
These vulnerabilities pose significant security risks, including potential data breaches, unauthorized access, and the undermining of user trust. For small businesses relying on their online presence, such breaches can have far-reaching consequences, from loss of customer confidence to legal challenges.
Previous Vulnerabilities
With nine previous vulnerabilities reported since April 13, 2021, the history of Essential Addons for Elementor highlights the ongoing security challenges faced by popular plugins.
Conclusion
The swift response from the developers of Essential Addons for Elementor to patch these vulnerabilities underlines the critical importance of timely software updates. For small business owners who manage WordPress sites, staying informed and proactive in updating and securing your website is essential. Employing automated update tools, setting regular reminders, or opting for managed WordPress hosting services can help maintain security with minimal effort. Ultimately, understanding and addressing vulnerabilities like CVE-2024-0586 and CVE-2024-0585 is key to safeguarding your digital assets against the evolving landscape of cyber threats.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.