Essential Addons for Elementor Vulnerability– Best Elementor Templates, Widgets, Kits & WooCommerce Builders – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-1236 | WordPress Plugin Vulnerability Report
Plugin Name: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
Key Information:
- Software Type: Plugin
- Software Slug: essential-addons-for-elementor-lite
- Software Status: Active
- Software Author: wpdevteam
- Software Downloads: 66,915,084
- Active Installs: 2,000,000
- Last Updated: February 27, 2024
- Patched Versions: 5.9.9
- Affected Versions: <= 5.9.8
Vulnerability Details:
- Name: Essential Addons for Elementor <= 5.9.8
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-1236
- CVSS Score: 6.4
- Publicly Published: February 12, 2024
- Researcher: Webbernaut
- Description: The plugin is vulnerable to Stored Cross-Site Scripting via the Filterable Controls label icon parameter due to insufficient input sanitization and output escaping. Authenticated attackers with contributor access or higher can inject arbitrary web scripts in pages, which execute whenever a user accesses an injected page.
Summary:
The Essential Addons for Elementor plugin for WordPress has a vulnerability in versions up to and including 5.9.8 that allows authenticated attackers with contributor-level access or higher to perform stored cross-site scripting attacks via the Filterable Controls label icon parameter. This vulnerability has been patched in version 5.9.9.
Detailed Overview:
The vulnerability was identified by the researcher Webbernaut and involves insufficient input sanitization and output escaping within the plugin's Filterable Controls label icon parameter. This flaw allows attackers with at least contributor access to the WordPress site to inject malicious scripts into web pages. These scripts can then be executed in the browser of any user visiting the injected page, leading to potential unauthorized actions being performed on behalf of the user. The swift response by the plugin developers to release a patched version (5.9.9) mitigates the risk posed by this vulnerability.
Advice for Users:
- Immediate Action: Users should update to the patched version 5.9.9 immediately.
- Check for Signs of Vulnerability: Monitor website content and user roles for unexpected changes or unauthorized script injections.
- Alternate Plugins: While a patch is available, considering alternative plugins offering similar functionality may serve as a precaution.
- Stay Updated: Regularly update all plugins to their latest versions to protect against vulnerabilities.
Conclusion:
The prompt patching of this vulnerability by the plugin developers highlights the critical nature of maintaining up-to-date installations for WordPress and its associated plugins. Users are urged to upgrade to version 5.9.9 or later of the Essential Addons for Elementor plugin to ensure their WordPress sites remain secure.
References:
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.