Essential Addons for Elementor Vulnerability – Best Elementor Templates, Widgets, Kits & WooCommerce Builders – Authenticated (Contributor+) Store Cross-Site Scripting via Widget URL Attribute – CVE-2024-3333 | WordPress Plugin Vulnerability Report

Plugin Name: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders

Key Information:

  • Software Type: Plugin
  • Software Slug: essential-addons-for-elementor-lite
  • Software Status: Active
  • Software Author: wpdevteam
  • Software Downloads: 71,347,020
  • Active Installs: 2,000,000
  • Last Updated: April 26, 2024
  • Patched Versions: 5.9.15
  • Affected Versions: <= 5.9.14

Vulnerability Details:

  • Name: Essential Addons for Elementor <= 5.9.14
  • Title: Authenticated (Contributor+) Store Cross-Site Scripting via Widget URL Attribute
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-3333
  • CVSS Score: 6.4
  • Publicly Published: April 16, 2024
  • Researcher: Ngô Thiên An (ancorn_) - VNPT-VCI
  • Description: The Essential Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL attributes of widgets in all versions up to, and including, 5.9.14 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Summary:

The Essential Addons for Elementor plugin for WordPress has a vulnerability in versions up to and including 5.9.14 that allows for the injection of arbitrary web scripts through the URL attributes of widgets. This vulnerability has been patched in version 5.9.15.

Detailed Overview:

The vulnerability discovered by Ngô Thiên An at VNPT-VCI is a stored cross-site scripting issue that affects the URL attribute within the widget settings of the Essential Addons for Elementor plugin. Due to inadequate input sanitization and output escaping, authenticated users with at least contributor-level access can inject malicious scripts. These scripts are then permanently stored and executed whenever a page containing the widget is viewed. The risks associated with this vulnerability include unauthorized script execution, which can lead to further web-based attacks, such as stealing cookies or other session information.

Advice for Users:

  • Immediate Action: Update to the patched version 5.9.15 immediately.
  • Check for Signs of Vulnerability: Review widget settings for unexpected or unfamiliar URLs that may contain JavaScript code.
  • Alternate Plugins: While a patch is available, consider using alternative plugins offering similar functionality as a precaution.
  • Stay Updated: Regularly check and update all plugins to their latest versions to prevent vulnerabilities.

Conclusion:

The prompt response by the developers of Essential Addons for Elementor to patch this vulnerability highlights the critical nature of maintaining up-to-date installations. Users are advised to update to version 5.9.15 or later to secure their WordPress installations.

References:

Detailed Report: 

In the fast-evolving digital landscape, the security of a website can often hinge on the robustness and timeliness of its components, particularly when it comes to widely-used content management systems like WordPress. A recent vulnerability discovered in the "Essential Addons for Elementor" plugin—a tool employed by over two million websites to enhance their design and functionality—serves as a stark reminder of this critical need for vigilance. This vulnerability, identified as CVE-2024-3333, highlights the ongoing challenges that small business owners face in maintaining a secure online presence amidst their busy schedules.

Vulnerability Details:

The Essential Addons for Elementor plugin is vulnerable to Stored Cross-Site Scripting (XSS) via the URL attributes of widgets in all versions up to and including 5.9.14. This security flaw was publicly published on April 16, 2024, and has since been patched in version 5.9.15. The vulnerability allows authenticated users, specifically those with contributor-level access or higher, to inject arbitrary web scripts that are executed whenever a user accesses an injected page. This type of vulnerability was identified by researcher Ngô Thiên An from VNPT-VCI.

Risks and Potential Impacts:

Stored XSS vulnerabilities such as this can lead to unauthorized script execution, which may result in further web-based attacks, including stealing cookies, session hijacking, and data theft. For a small business, the consequences can be particularly severe, ranging from the loss of sensitive customer data to a damaged reputation and potential legal implications.

Overview of Previous Vulnerabilities:

Since April 13, 2021, the Essential Addons for Elementor plugin has had 22 documented vulnerabilities. This history underscores the importance of regular updates and active monitoring of security advisories.

Conclusion:

The rapid response by the developers of Essential Addons for Elementor to patch this vulnerability underscores the importance of timely updates. Small business owners, often pressed for time and resources, must prioritize their website's security to protect their assets and customer data. Implementing regular maintenance schedules, subscribing to security newsletters, and using automated tools can significantly reduce the risk and help in managing these critical tasks more efficiently.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Essential Addons for Elementor Vulnerability – Best Elementor Templates, Widgets, Kits & WooCommerce Builders – Authenticated (Contributor+) Store Cross-Site Scripting via Widget URL Attribute – CVE-2024-3333 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment