Exclusive Addons for Elementor Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Team Member Widget – CVE-2024-4618 | WordPress Plugin Vulnerability Report
Plugin Name: Exclusive Addons for Elementor
Key Information:
- Software Type: Plugin
- Software Slug: exclusive-addons-for-elementor
- Software Status: Active
- Software Author: timstrifler
- Software Downloads: 870,318
- Active Installs: 60,000
- Last Updated: May 14, 2024
- Patched Versions: 2.6.9.7
- Affected Versions: <= 2.6.9.6
Vulnerability Details:
- Name: Exclusive Addons for Elementor <= 2.6.9.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Team Member Widget
- Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE: CVE-2024-4618
- CVSS Score: 6.4 (Medium)
- Publicly Published: May 14, 2024
- Researcher: wesley (wcraft)
- Description: The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Team Member widget in all versions up to, and including, 2.6.9.6 due to insufficient input sanitization and output escaping on user supplied 'url' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Summary:
The Exclusive Addons for Elementor plugin for WordPress has a vulnerability in versions up to and including 2.6.9.6 that allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts via the Team Member widget due to insufficient input sanitization and output escaping. This vulnerability has been patched in version 2.6.9.7.
Detailed Overview:
The vulnerability was discovered by researcher wesley (wcraft) and publicly published on May 14, 2024. It is a Stored Cross-Site Scripting vulnerability that exists in the Team Member widget of the Exclusive Addons for Elementor plugin. Attackers with contributor-level access or higher can exploit this vulnerability by injecting malicious scripts into the 'url' attribute of the widget. When a user visits a page containing the injected script, it will execute, potentially leading to sensitive information disclosure, session hijacking, or other malicious activities.
Advice for Users:
- Immediate Action: Users should update the Exclusive Addons for Elementor plugin to version 2.6.9.7 or later to patch this vulnerability.
- Check for Signs of Vulnerability: Review your site's pages, especially those containing the Team Member widget, for any suspicious scripts or unauthorized modifications.
- Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
- Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.
The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 2.6.9.7 or later to secure their WordPress installations.
References:
Detailed Report:
As a website owner, keeping your WordPress site secure should be a top priority. With the ever-evolving landscape of online threats, it's crucial to stay informed about potential vulnerabilities and take proactive measures to protect your site. In this blog post, we'll discuss a recently discovered vulnerability in the Exclusive Addons for Elementor plugin and emphasize the importance of keeping your website up to date.
The Exclusive Addons for Elementor Plugin
The Exclusive Addons for Elementor plugin is a popular tool for enhancing the functionality of the Elementor page builder. It has been downloaded 870,318 times and has an active installation base of 60,000 websites. The plugin was last updated on May 14, 2024, and the current patched version is 2.6.9.7.
The Vulnerability
A serious security flaw, identified as CVE-2024-4618, was discovered in the Exclusive Addons for Elementor plugin. This vulnerability allows authenticated attackers with contributor-level access or higher to inject malicious scripts into your website through the Team Member widget. The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue due to insufficient input sanitization and output escaping on the user-supplied 'url' attribute. It affects all versions of the plugin up to and including 2.6.9.6.
Risks and Potential Impacts
If left unpatched, this vulnerability could lead to sensitive information disclosure, session hijacking, or other malicious activities. Attackers could gain unauthorized access to your site and wreak havoc, putting your users' data at risk. Neglecting to update your plugins not only leaves your site vulnerable to known exploits but also jeopardizes your website's integrity and reputation.
Remediating the Vulnerability
To protect your website from this vulnerability, it is crucial to update the Exclusive Addons for Elementor plugin to version 2.6.9.7 or later. This patched version addresses the security flaw and prevents attackers from exploiting it. Additionally, it's recommended to review your site's pages, especially those containing the Team Member widget, for any suspicious scripts or unauthorized modifications.
Previous Vulnerabilities
It's worth noting that the Exclusive Addons for Elementor plugin has had a history of vulnerabilities. Since December 2022, there have been 18 previously reported vulnerabilities. This underscores the importance of regularly updating your plugins and staying informed about potential security issues.
The Importance of Staying Vigilant
As a small business owner with a WordPress website, it can be challenging to stay on top of security vulnerabilities, especially when you have limited time and resources. However, neglecting website security can have severe consequences, including data breaches, loss of customer trust, and financial damages.
To ensure your website remains secure, it's essential to prioritize regular plugin updates, monitor your site for suspicious activity, and consider seeking the assistance of experienced WordPress developers or security experts. They can help you assess your site's vulnerabilities, implement necessary updates, and provide ongoing support to keep your website safe from harm.
Don't let security vulnerabilities put your website and your users at risk. Take proactive steps to update your plugins, stay informed about potential threats, and prioritize website security as an integral part of your business strategy. By doing so, you can protect your online presence, maintain customer trust, and focus on growing your business with peace of mind.
Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.
Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.