Essential Addons for Elementor Vulnerability – Best Elementor Templates, Widgets, Kits & WooCommerce Builders – Authenticated (Author+) PHP Object Injection via error_resetpassword – CVE-2024-3018 | WordPress Plugin Vulnerability Report

Plugin Name: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders

Key Information:

  • Software Type: Plugin
  • Software Slug: essential-addons-for-elementor-lite
  • Software Status: Active
  • Software Author: wpdevteam
  • Software Downloads: 69,249,566
  • Active Installs: 2,000,000
  • Last Updated: April 3, 2024
  • Patched Versions: 5.9.14
  • Affected Versions: <= 5.9.13

Vulnerability Details:

  • Name: Essential Addons for Elementor <= 5.9.13
  • Title: Authenticated (Author+) PHP Object Injection via error_resetpassword
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE: CVE-2024-3018
  • CVSS Score: 8.8
  • Publicly Published: March 29, 2024
  • Researcher: Ngô Thiên An (ancorn_) - VNPT-VCI
  • Description: The Essential Addons for Elementor plugin for WordPress is vulnerable to PHP Object Injection in versions up to and including 5.9.13 via deserialization of untrusted input from the 'error_resetpassword' attribute in the "Login | Register Form" widget. This vulnerability requires the attacker to have author-level access or higher, enabling them to exploit the plugin's deserialization process to inject a malicious PHP Object. This could potentially lead to arbitrary file deletion, sensitive data retrieval, or code execution, especially if a suitable Property-Oriented Programming (POP) chain is accessible through other installed plugins or themes.


The Essential Addons for Elementor plugin for WordPress harbors a significant security flaw in versions up to and including 5.9.13, wherein authenticated users with at least author-level permissions can exploit PHP Object Injection via the 'error_resetpassword' attribute. This vulnerability has been effectively addressed in version 5.9.14, thus reinforcing the need for immediate updates.

Detailed Overview:

This vulnerability, discovered by researcher Ngô Thiên An from VNPT-VCI, resides within the "Login | Register Form" widget of the plugin. The issue stems from the deserialization of untrusted inputs, which can be manipulated by an attacker to achieve PHP Object Injection. The implications of this vulnerability are particularly severe if the WordPress installation contains additional plugins or themes that might provide a viable POP chain, thereby amplifying the potential for harm, including code execution, data theft, or site compromise.

Advice for Users:

  • Immediate Action: Users of the Essential Addons for Elementor plugin should promptly update to version 5.9.14 to mitigate the risks associated with this vulnerability.
  • Check for Signs of Vulnerability: Administrators should inspect their websites for unusual activities or unauthorized changes, which may indicate exploitation.
  • Alternate Plugins: Although a patch is available, users may consider exploring alternative Elementor addon plugins that offer similar functionality, particularly if they are concerned about the history of vulnerabilities in this plugin.
  • Stay Updated: It's crucial to regularly update all WordPress components, including themes and plugins, to protect against known vulnerabilities and ensure the security and functionality of your website.


The swift action taken by the developers of Essential Addons for Elementor to release a patch for this vulnerability underscores the critical nature of maintaining up-to-date software. To safeguard WordPress sites against potential threats, it's imperative that users promptly update their installations to version 5.9.14 or later.


Detailed Report: 

In today's digital ecosystem, a website is more than just an online brochure; it's a crucial interface between businesses and their customers. However, this digital frontier is fraught with vulnerabilities, as underscored by the recent discovery of a critical security flaw in the "Essential Addons for Elementor" plugin. Dubbed CVE-2024-3018, this vulnerability serves as a potent reminder of the constant vigilance required to safeguard digital assets against evolving cyber threats.

Essential Addons for Elementor: A Cornerstone Plugin

"Essential Addons for Elementor" stands as a pivotal tool for over 2 million WordPress sites, providing a suite of widgets and templates to enhance site functionality and design. Developed by wpdevteam, this plugin boasts over 69 million downloads, reflecting its popularity and integral role within the WordPress community.

Unveiling CVE-2024-3018

CVE-2024-3018 reveals a PHP Object Injection vulnerability within the plugin, specifically through the 'error_resetpassword' attribute in the "Login | Register Form" widget. Affecting versions up to 5.9.13, this flaw requires author-level access for exploitation, posing a risk of arbitrary file deletion, sensitive data exposure, or even code execution. This vulnerability, discovered by Ngô Thiên An of VNPT-VCI, was publicly disclosed on March 29, 2024, highlighting the plugin's susceptibility to sophisticated attack vectors.

The Risks and Potential Impacts

The implications of CVE-2024-3018 extend beyond mere technical glitches, threatening the very trust and integrity of affected websites. For small business owners, a compromised website could result in data breaches, loss of customer confidence, and potential financial and reputational damage. The severity is further compounded by the fact that this plugin had encountered 21 vulnerabilities since April 13, 2021, underscoring a pattern of security challenges.

Mitigation and Remediation

In response to CVE-2024-3018, wpdevteam swiftly issued a patch with version 5.9.14, addressing the vulnerability. Users are urged to update their plugin to this latest version immediately. Additionally, website administrators should regularly monitor their sites for unusual activities and consider employing security plugins and services to bolster their defenses.

Navigating the Landscape of Previous Vulnerabilities

The historical context of vulnerabilities within the "Essential Addons for Elementor" plugin emphasizes the importance of continuous monitoring and updates. Each vulnerability presents a learning opportunity and a reminder of the persistent threats facing digital platforms.

The Imperative of Proactive Security Measures

For small business owners juggling myriad responsibilities, staying abreast of every security update can be daunting. Yet, the digital security of your WordPress site is paramount. Leveraging managed WordPress hosting services, subscribing to security bulletins, and utilizing automated update and monitoring tools can significantly reduce the burden, ensuring that your website remains secure, functional, and aligned with best practices in cybersecurity.

In conclusion, the discovery of CVE-2024-3018 within the "Essential Addons for Elementor" plugin is a clarion call for vigilance in the digital domain. It underscores the imperative for small business owners to adopt a proactive stance on web security, safeguarding their online presence against the omnipresent threat of cyber vulnerabilities. In the digital age, the security of your website is inextricably linked to the health of your business, making it essential to prioritize, understand, and address these vulnerabilities with the seriousness they warrant.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Essential Addons for Elementor Vulnerability – Best Elementor Templates, Widgets, Kits & WooCommerce Builders – Authenticated (Author+) PHP Object Injection via error_resetpassword – CVE-2024-3018 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment