Essential Addons for Elementor Vulnerability– Best Elementor Templates, Widgets, Kits & WooCommerce Builders – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-0954 | WordPress Plugin Vulnerability Report
Plugin Name: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
Key Information:
- Software Type: Plugin
- Software Slug: essential-addons-for-elementor-lite
- Software Status: Active
- Software Author: wpdevteam
- Software Downloads: 66,002,609
- Active Installs: 2,000,000
- Last Updated: February 12, 2024
- Patched Versions: 5.9.8
- Affected Versions: <= 5.9.7
Vulnerability Details:
- Name: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.7
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-0954
- CVSS Score: 6.4
- Publicly Published: February 1, 2024
- Researcher: Webbernaut
- Description: The Essential Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting through the 'data-eael-wrapper-link' wrapper in versions up to and including 5.9.7. Insufficient input sanitization and output escaping allow authenticated attackers with contributor-level permissions to inject arbitrary web scripts, which execute when a user accesses an injected page.
Summary:
The Essential Addons for Elementor plugin for WordPress has a vulnerability in versions up to and including 5.9.7 that allows for stored cross-site scripting through specific editing contexts. This vulnerability has been patched in version 5.9.8.
Detailed Overview:
This vulnerability was identified by Webbernaut and involves insufficient input sanitization and output escaping on user-supplied protocols within the 'data-eael-wrapper-link' wrapper. Attackers with at least contributor-level permissions can exploit this flaw to inject malicious scripts into pages, posing risks such as unauthorized data access or manipulation. The prompt release of a patched version highlights the importance of maintaining security vigilance and regular updates.
Advice for Users:
- Immediate Action: Update to version 5.9.8 immediately to mitigate the vulnerability.
- Check for Signs of Vulnerability: Monitor your site for unusual activities or unauthorized changes to web pages.
- Alternate Plugins: Consider alternative solutions offering similar functionalities as a precautionary measure.
- Stay Updated: Regularly update all plugins to their latest versions to protect against known vulnerabilities.
Conclusion:
The swift response by the developers to release a patched version of the Essential Addons for Elementor plugin demonstrates the critical role of timely software updates in web security. Users are strongly advised to update to version 5.9.8 or later to safeguard their WordPress installations against potential exploits.
References:
Staying Ahead of the Curve: The Critical Importance of Website Security Updates
In today's digital age, the security of your website is paramount. As small business owners juggle countless responsibilities, it's easy to overlook the importance of regular website maintenance, particularly software updates. However, neglecting this critical task can expose your online presence to significant risks, as highlighted by a recent vulnerability discovered in a popular WordPress plugin, Essential Addons for Elementor.
About the Plugin:
Essential Addons for Elementor enriches WordPress websites with advanced templates, widgets, kits, and WooCommerce builders, boasting over 2 million active installs. Its versatility and ease of use have made it a staple in the toolkit of many website owners.
The Vulnerability at a Glance:
- CVE ID: CVE-2024-0954
- Type: Authenticated (Contributor+) Stored Cross-Site Scripting
- Affected Versions: Versions up to and including 5.9.7
- Patched Version: 5.9.8
- Impact: Allows attackers with contributor-level access to inject malicious scripts.
This vulnerability stems from insufficient input sanitization and output escaping within the plugin, particularly through the 'data-eael-wrapper-link' wrapper. It enables attackers to execute arbitrary web scripts, potentially compromising the website's integrity and the data security of its users.
Risks and Potential Impacts:
The exploitation of this vulnerability could lead to unauthorized data access, manipulation of website content, and even redirection of visitors to malicious sites. Such breaches not only threaten user trust but can also have severe reputational and financial repercussions for businesses.
Remediation Steps:
- Immediate Update: Upgrade to the patched version 5.9.8 without delay.
- Vigilance: Regularly monitor your site for unusual activities or unauthorized content changes.
- Alternatives: Consider similar plugins as temporary stand-ins while ensuring they are secure and regularly updated.
A History of Vulnerabilities:
This isn't the first time Essential Addons for Elementor has faced security challenges; there have been 11 previous vulnerabilities since April 13, 2021. This pattern underscores the importance of constant vigilance and the need for a proactive approach to website security.
Conclusion:
For small business owners, the digital landscape offers immense opportunities but also presents significant risks. The recent vulnerability in Essential Addons for Elementor is a timely reminder of the potential dangers. Staying on top of security updates can seem daunting, especially when time is a scarce resource. However, the cost of inaction can be far greater, potentially jeopardizing your business's online presence and the trust of your customers. Implementing a routine check for updates, using trusted security plugins, and considering professional maintenance services can alleviate the burden and ensure your website remains secure, reliable, and resilient against threats.
Remember, in the realm of cybersecurity, prevention is always better than cure. Regular updates are not just routine maintenance; they're a crucial defense mechanism that keeps your digital assets safe from the ever-evolving threats of the online world.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.