Exclusive Addons for Elementor Vulnerability – Multiple Stored XSS Vulnerabilities – Multiple CVEs | WordPress Plugin Vulnerability Report

Plugin Name: Exclusive Addons for Elementor

Key Information:

  • Software Type: Plugin
  • Software Slug: exclusive-addons-for-elementor
  • Software Status: Active
  • Software Author: timstrifler
  • Software Downloads: 841,164
  • Active Installs: 60,000
  • Last Updated: May 6, 2024
  • Patched Versions: 2.6.9.5, 2.6.9.4
  • Affected Versions: <= 2.6.9.4, <= 2.6.9.3

Vulnerability Details:

  1. Name: Exclusive Addons for Elementor <= 2.6.9.4
    • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Call to Action
    • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
    • CVE: CVE-2024-3985
    • CVSS Score: 6.4
    • Publicly Published: May 6, 2024
    • Researcher: stealthcopter
    • Description: Vulnerable to Stored Cross-Site Scripting via the Call to Action widget due to insufficient input sanitization and output escaping.
  2. Name: Exclusive Addons for Elementor <= 2.6.9.3
    • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget
    • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
    • CVE: CVE-2024-2750
    • CVSS Score: 6.4
    • Publicly Published: April 22, 2024
    • Researcher: wesley
    • Description: Vulnerable to Stored Cross-Site Scripting via the URL attribute of the Button widget due to insufficient input sanitization and output escaping.
  3. Name: Exclusive Addons for Elementor <= 2.6.9.4
    • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Expired Title
    • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
    • CVE: CVE-2024-3489
    • CVSS Score: 6.4
    • Publicly Published: April 22, 2024
    • Researcher: Webbernaut
    • Description: Vulnerable to Reflected Cross-Site Scripting via the Countdown Expired Title due to insufficient input sanitization and output escaping.

Summary:

The Exclusive Addons for Elementor plugin for WordPress contains vulnerabilities in versions up to and including 2.6.9.4 that allow stored and reflected cross-site scripting. These vulnerabilities have been patched in version 2.6.9.5.

Detailed Overview:

The identified vulnerabilities in the Exclusive Addons for Elementor plugin stem from insufficient input sanitization and output escaping across various components including Call to Action and Button widgets. These security flaws enable authenticated attackers, with contributor-level access and above, to execute arbitrary web scripts. Such actions pose significant risks, including unauthorized access to sensitive information and user session hijacking. Immediate remediation involved updating the plugin to incorporate more stringent security measures.

Advice for Users:

  • Immediate Action: Update to the patched version 2.6.9.5 immediately.
  • Check for Signs of Vulnerability: Regularly review your site's logs for unusual activities that could indicate exploitation.
  • Alternate Plugins: Consider alternative plugins that offer similar functionality as a precaution.
  • Stay Updated: Continuously update all plugins to their latest versions to minimize security risks.

Conclusion:

The rapid response by the developers to address these vulnerabilities highlights the necessity of regular updates and vigilant security practices. Users are urged to install version 2.6.9.5 or later of the Exclusive Addons for Elementor to ensure the security of their WordPress installations.

References:

Detailed Report: 

In today’s digital age, maintaining an up-to-date website isn’t just about ensuring your content is fresh—it’s crucial for safeguarding against potential threats that lurk in the shadows of outdated software. A recent finding within the WordPress community underscores this necessity. The "Exclusive Addons for Elementor" plugin, a tool favored by many for its versatility in website building, has been identified as having multiple stored Cross-Site Scripting (XSS) vulnerabilities. These vulnerabilities affect all versions up to and including 2.6.9.4 and have necessitated immediate patches to secure the websites of over 60,000 users.

Vulnerability Overview:

The identified vulnerabilities stem from insufficient input sanitization and output escaping across several components including the Call to Action and Button widgets. This flaw allows attackers, even those with just contributor-level access, to inject malicious scripts that could compromise user data and take over admin sessions. The types of vulnerabilities reported were:

  1. CVE-2024-3985: Stored XSS via Call to Action widget
  2. CVE-2024-2750: Stored XSS via Button Widget
  3. CVE-2024-3489: Reflected XSS via Countdown Expired Title

Risk and Impact:

Stored and reflected XSS vulnerabilities pose significant risks. They enable unauthorized actions such as stealing cookies, hijacking sessions, redirecting visitors to malicious websites, and displaying unauthorized content, all of which can degrade trust and compromise sensitive information.

Remediation Steps:

  1. Immediate Update: Ensure that your website is running on the patched versions, 2.6.9.5 or later.
  2. Review and Monitor: Regularly check your website logs for any unusual activities that may indicate a security breach.
  3. Alternative Solutions: Consider exploring other similar plugins that may have a stronger security track record, especially if frequent vulnerabilities are a concern.
  4. Continuous Updates: Always keep your WordPress, themes, and plugins updated to the latest versions.

Historical Vulnerabilities:

Exclusive Addons for Elementor has had 14 documented vulnerabilities since December 14, 2022, highlighting a pattern that demands vigilant updates and regular security checks.

Conclusion:

For small business owners, the task of continuously monitoring and updating a website can seem daunting, especially when resources are limited. However, the rapid response by the Exclusive Addons developers to patch these vulnerabilities serves as a critical reminder of the importance of staying proactive with website security. Implementing a routine check-up for updates, leveraging automated security tools, and occasionally consulting with cybersecurity professionals can protect your business from potential threats and ensure your digital presence remains secure and reputable.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Exclusive Addons for Elementor Vulnerability – Multiple Stored XSS Vulnerabilities – Multiple CVEs | WordPress Plugin Vulnerability Report FAQs

Leave a Comment