Essential Addons for Elementor Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-5189 | WordPress Plugin Vulnerability Report
Plugin Name: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
Key Information:
- Software Type: Plugin
- Software Slug: essential-addons-for-elementor-lite
- Software Status: Active
- Software Author: wpdevteam
- Software Downloads: 76,299,572
- Active Installs: 2,000,000
- Last Updated: July 2, 2024
- Patched Versions: 5.9.24
- Affected Versions: <= 5.9.23
Vulnerability Details:
- Name: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.23
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-5189
- CVSS Score: 6.4
- Publicly Published: June 10, 2024
- Researcher: wesley
- Description: The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘custom_js’ parameter in all versions up to, and including, 5.9.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Summary:
The Essential Addons for Elementor plugin for WordPress has a vulnerability in versions up to and including 5.9.23 that allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability has been patched in version 5.9.24.
Detailed Overview:
The vulnerability in the Essential Addons for Elementor plugin, identified by researcher wesley, is located in the ‘custom_js’ parameter. This flaw is due to insufficient input sanitization and output escaping, which makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts. These scripts will execute whenever a user accesses a page containing the injected scripts. The risks of this vulnerability include the potential for attackers to perform actions on behalf of other users, access sensitive information, and compromise site integrity. The vulnerability has been addressed in version 5.9.24.
Advice for Users:
- Immediate Action: Users are strongly encouraged to update to the patched version 5.9.24 immediately to mitigate the vulnerability.
- Check for Signs of Vulnerability: Users should check their websites for any unexpected or suspicious scripts and review user accounts for any unauthorized changes.
- Alternate Plugins: While a patch is available, users might consider using alternate plugins that offer similar functionality as a precaution.
- Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.
Conclusion:
The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 5.9.24 or later to secure their WordPress installations.
References:
Detailed Report:
Introduction
In the ever-evolving digital landscape, maintaining the security of your website is paramount. Ensuring that your WordPress plugins are up to date is a critical component of this vigilance. Recently, a significant security vulnerability was discovered in the Essential Addons for Elementor plugin, a widely-used tool for enhancing WordPress websites with advanced templates, widgets, and WooCommerce builders. This vulnerability, identified as CVE-2024-5189, poses a serious risk to websites running versions up to and including 5.9.23.
Risks and Potential Impacts
The vulnerability in the Essential Addons for Elementor plugin allows authenticated attackers with Contributor-level access to exploit the 'custom_js' parameter. This can lead to the injection of arbitrary web scripts, which execute whenever a user accesses the compromised page. The potential impacts include:
- Unauthorized Actions: Attackers can perform actions on behalf of other users.
- Sensitive Information Access: Attackers may access and manipulate sensitive information.
- Site Integrity Compromise: The overall integrity and functionality of the site can be jeopardized.
Previous Vulnerabilities
Since April 13, 2021, there have been 35 previous vulnerabilities identified in the Essential Addons for Elementor plugin. This history underscores the importance of regularly updating plugins and staying informed about potential security issues.
Conclusion
The prompt response from the plugin developers to patch this vulnerability highlights the critical importance of timely updates. For small business owners with WordPress websites, staying on top of security vulnerabilities can be challenging, but it is essential for protecting your site and your customers' data. Regularly updating your plugins and being aware of security advisories can significantly reduce your risk. If you find it difficult to keep up with these updates, consider employing security plugins or services that can automate these tasks and provide peace of mind.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.