Exclusive Addons for Elementor Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via InfoBox – CVE-2024-2751 | WordPress Plugin Vulnerability Report
Plugin Name: Exclusive Addons for Elementor
Key Information:
- Software Type: Plugin
- Software Slug: exclusive-addons-for-elementor
- Software Status: Active
- Software Author: timstrifler
- Software Downloads: 814,796
- Active Installs: 60,000
- Last Updated: April 25, 2024
- Patched Versions: 2.6.9.3
- Affected Versions: <= 2.6.9.2
Vulnerability Details:
- Name: Exclusive Addons for Elementor <= 2.6.9.2
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting via InfoBox
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-2751
- CVSS Score: 6.4
- Publicly Published: April 15, 2024
- Researcher: ST
- Description: The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘exad_infobox_animating_mask_style’ parameter in all versions up to, and including, 2.6.9.2. This vulnerability arises from insufficient input sanitization and output escaping, allowing authenticated attackers, with contributor access or higher, to inject arbitrary web scripts that execute whenever a user accesses an injected page.
Summary:
The Exclusive Addons for Elementor plugin for WordPress has a vulnerability in versions up to and including 2.6.9.2 that allows contributors and higher-level users to inject malicious scripts through the InfoBox feature. This vulnerability has been patched in version 2.6.9.3.
Detailed Overview:
This vulnerability was uncovered by researcher ST and involves the manipulation of the InfoBox's animating mask style parameter. The lack of proper sanitization and escaping of user inputs in this parameter enables the injection of executable JavaScript code into web pages. The potential impact of this vulnerability includes unauthorized access to user data, session takeover, and manipulation of website content, posing a significant risk to website integrity and user privacy. The developers have addressed this critical issue in the latest patch, mitigating the associated risks.
Advice for Users:
- Immediate Action: Update to the patched version 2.6.9.3 immediately to close this security vulnerability.
- Check for Signs of Vulnerability: Administrators should review page content where InfoBox elements are used for signs of tampering or unexpected script executions.
- Alternate Plugins: Consider temporarily using alternate Elementor addons that offer similar functionality but are not affected by this vulnerability while assessing your site’s security posture.
- Stay Updated: Keep all plugins updated to their latest versions, and subscribe to security bulletins for timely information on potential vulnerabilities.
Conclusion:
The rapid response from the developers of Exclusive Addons for Elementor in addressing this XSS vulnerability demonstrates the critical importance of maintaining up-to-date security measures in all WordPress plugins. Users are strongly advised to install updates as soon as they are available to protect their sites from potential threats. Regular updates, vigilant monitoring of plugin security, and adherence to best practices in website administration are essential for safeguarding your WordPress installations against attacks.
References:
- Wordfence Vulnerability Report for Exclusive Addons for Elementor
- Wordfence Vulnerabilities Overview for Exclusive Addons for Elementor
Detailed Report:
In the sprawling ecosystem of WordPress, plugins enhance functionality but also pose risks if not meticulously managed. A recent example is a vulnerability in the Exclusive Addons for Elementor plugin, which has spotlighted the critical need for constant vigilance and timely updates. This particular plugin, integral for enhancing Elementor with unique widgets and functionalities, was compromised up to version 2.6.9.2, affecting over 60,000 websites.
About the Plugin: Exclusive Addons for Elementor
Exclusive Addons for Elementor enriches the Elementor page builder with additional widgets and features, making it a favorite among WordPress users. Authored by timstrifler, this plugin boasts 814,796 downloads and maintains active installations in thousands of websites. The most recent update, as of April 25, 2024, pushed the plugin to version 2.6.9.3 in response to a critical security vulnerability.
Detailed Overview
The flaw arises from insufficient input sanitization and output escaping within the InfoBox component of the plugin, where the 'animating mask style' parameter was vulnerable. The potential for malicious script injection meant that any authenticated user with contributor privileges could compromise the website's security. This type of vulnerability underscores the importance of rigorous security checks in plugin development and maintenance. The patched version rectifies this oversight by enhancing security measures to verify and sanitize user inputs more effectively.
Overview of Previous Vulnerabilities
Since December 14, 2022, there have been 16 documented vulnerabilities for this plugin alone, signaling ongoing security challenges. Each vulnerability has provided crucial lessons in the importance of proactive security practices.
Conclusion
The rapid and effective response of the Exclusive Addons for Elementor developers in addressing the recent XSS vulnerability demonstrates the critical importance of maintaining up-to-date security measures across all WordPress plugins. For small business owners, especially those without dedicated IT teams, understanding the risks associated with outdated plugins and implementing regular updates are essential to safeguarding their online presence. Proactive security practices not only prevent potential cyberattacks but also build trust with users, ensuring the business remains secure and reputable in the digital space.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.