Essential Addons for Elementor Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-39649 | WordPress Plugin Vulnerability Report

Plugin Name: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders

Key Information:

  • Software Type: Plugin
  • Software Slug: essential-addons-for-elementor-lite
  • Software Status: Active
  • Software Author: wpdevteam
  • Software Downloads: 79,388,161
  • Active Installs: 2,000,000
  • Last Updated: August 12, 2024
  • Patched Versions: 5.9.27
  • Affected Versions: <= 5.9.26

Vulnerability Details:

  • Name: Essential Addons for Elementor <= 5.9.26
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting
  • Type: Stored Cross-Site Scripting (XSS)
  • CVE: CVE-2024-39649
  • CVSS Score: 6.4
  • Publicly Published: August 1, 2024
  • Researcher: wesley (wcraft)
  • Description: The Essential Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.9.26. This vulnerability is due to insufficient input sanitization and output escaping, allowing authenticated attackers with contributor-level access and above to inject arbitrary web scripts into pages. These scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized actions and data breaches.

Summary:

The Essential Addons for Elementor plugin for WordPress has a vulnerability in versions up to and including 5.9.26 that allows authenticated (Contributor+) stored cross-site scripting. This vulnerability has been patched in version 5.9.27.

Detailed Overview:

Essential Addons for Elementor is a widely-used plugin that enhances the Elementor page builder with additional templates, widgets, kits, and WooCommerce builders. However, a critical security vulnerability was recently discovered in the plugin, identified as CVE-2024-39649. The vulnerability, discovered by security researcher wesley (wcraft), results from insufficient input sanitization and output escaping, making it possible for authenticated users with Contributor-level access to inject malicious scripts into web pages. These scripts execute when a user accesses the compromised page, potentially leading to unauthorized actions such as data breaches or further site exploitation.

This vulnerability has a CVSS score of 6.4, indicating a moderate to high risk. It was publicly disclosed on August 1, 2024, and affects all versions of the Essential Addons for Elementor plugin up to and including 5.9.26. In response to this discovery, the developers at wpdevteam released a patched version, 5.9.27, on August 12, 2024, to address the issue.

Advice for Users:

Immediate Action: Users are strongly encouraged to update to version 5.9.27 immediately to mitigate the risk of stored cross-site scripting attacks.
Check for Signs of Vulnerability: Users should inspect their sites for any unusual scripts or behaviors, particularly if they have Contributor-level users.
Alternate Plugins: While a patch is available, users might consider exploring alternative plugins that offer similar functionality as an extra precaution.
Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities and protect your website’s integrity.

Conclusion:

The prompt response from the Essential Addons for Elementor development team to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 5.9.27 or later to secure their WordPress installations. For small business owners, staying on top of security vulnerabilities might seem overwhelming, but it is essential for protecting your online presence. Regular maintenance, including updates and vulnerability checks, is crucial in safeguarding your site against potential threats. If you need assistance or have concerns about your website's security, don’t hesitate to seek professional help. Staying informed and proactive is key to maintaining a secure and trustworthy website.

References:

Detailed Report:

Maintaining the security of your WordPress website is crucial in protecting your online presence from potential threats. One key aspect of ensuring your website’s safety is regularly updating plugins to prevent vulnerabilities from being exploited by malicious actors. Recently, a significant security vulnerability was discovered in the Essential Addons for Elementor plugin, a widely-used tool that enhances the Elementor page builder with additional templates, widgets, kits, and WooCommerce builders. This vulnerability, identified as CVE-2024-39649, allows attackers with Contributor-level access to inject malicious scripts into your site through stored cross-site scripting (XSS). If not addressed, these scripts could execute whenever a user accesses the compromised page, leading to unauthorized actions and potential data breaches.

Summary:

The Essential Addons for Elementor plugin for WordPress has a vulnerability in versions up to and including 5.9.26 that allows authenticated (Contributor+) users to exploit stored cross-site scripting. This vulnerability has been patched in version 5.9.27.

Detailed Overview:

Essential Addons for Elementor is a highly popular plugin that significantly extends the functionality of the Elementor page builder, enabling users to create advanced designs and layouts with ease. However, a serious security vulnerability was identified in the plugin, known as CVE-2024-39649. Discovered by security researcher wesley (wcraft), the vulnerability stems from inadequate input sanitization and output escaping in the plugin, making it possible for authenticated users with Contributor-level access to inject malicious scripts into web pages. These scripts can execute whenever a user accesses the affected page, potentially resulting in unauthorized actions such as data breaches, defacement of content, or further site exploitation.

With a CVSS score of 6.4, this vulnerability poses a moderate to high risk, especially for websites that allow multiple contributors. The vulnerability was publicly disclosed on August 1, 2024, affecting all versions of the Essential Addons for Elementor plugin up to and including 5.9.26. In response, the plugin’s developers at wpdevteam acted promptly, releasing a patched version, 5.9.27, on August 12, 2024, to address the issue.

Risks and Potential Impacts:

The risks associated with this vulnerability are significant, particularly for websites that allow Contributor-level users to manage content. If exploited, the vulnerability could allow attackers to inject harmful scripts into web pages, leading to unauthorized actions such as data breaches, content manipulation, or further security compromises. These actions could severely impact a website’s integrity, user trust, and overall security.

Remediation:

To protect your site, it is crucial to update the Essential Addons for Elementor plugin to the latest version, 5.9.27, immediately. This update addresses the vulnerability and mitigates the risk of cross-site scripting attacks. Additionally, site owners should review their websites for any unusual activity, especially if Contributor-level users have been active. Regularly updating all plugins and performing security audits are essential practices for maintaining a secure WordPress site.

Overview of Previous Vulnerabilities:

Since April 13, 2021, the Essential Addons for Elementor plugin has experienced 35 previous vulnerabilities. This history underscores the importance of regular updates and proactive security measures to protect your website from emerging threats. Although the plugin’s developers have been responsive in addressing these issues, ongoing vigilance remains critical for site security.

Conclusion:

The prompt response from the Essential Addons for Elementor development team to patch this vulnerability highlights the importance of timely updates. For small business owners, staying on top of security vulnerabilities might seem overwhelming, but it is essential for protecting your online presence. Regular maintenance, including updates and vulnerability checks, is key to safeguarding your site against potential threats. If you need assistance or have concerns about your website's security, don’t hesitate to seek professional help. Staying informed and proactive is crucial to maintaining a secure and trustworthy website.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Essential Addons for Elementor Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-39649 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment