Exclusive Addons for Elementor Vulnerability- Stored Cross-Site Scripting Vulnerabilities – CVE-2024-0824 & CVE-2024-0823 |WordPress Plugin Vulnerability Report 

Plugin Name: Exclusive Addons for Elementor

Key Information:

  • Software Type: Plugin
  • Software Slug: exclusive-addons-for-elementor
  • Software Status: Active
  • Software Author: timstrifler
  • Software Downloads: 688,917
  • Active Installs: 50,000
  • Last Updated: February 1, 2024
  • Patched Versions: 2.6.9
  • Affected Versions: <= 2.6.8

Vulnerability Details (Section 1):

  • Name: Exclusive Addons for Elementor <= 2.6.8
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Link Anything
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-0824
  • CVSS Score: 6.4
  • Publicly Published: January 26, 2024
  • Researcher: Webbernaut
  • Description: The Exclusive Addons for Elementor plugin is susceptible to Stored Cross-Site Scripting (XSS) via its Link Anything functionality due to inadequate input sanitization and output escaping. Authenticated users with at least contributor-level permissions can inject harmful scripts that are executed when a page is accessed.

Vulnerability Details (Section 2):

  • Name: Exclusive Addons for Elementor <= 2.6.8
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-0823
  • CVSS Score: 5.4
  • Publicly Published: January 26, 2024
  • Researcher: Webbernaut
  • Description: Another vulnerability in the Exclusive Addons for Elementor plugin allows Stored XSS via the 'Link To' URL in carousels. This flaw arises from insufficient input sanitization on user-supplied attributes, enabling authenticated attackers with contributor-level access to embed arbitrary web scripts in pages.

Summary:

Exclusive Addons for Elementor, a popular plugin for enhancing Elementor page builder capabilities, has been found to contain critical vulnerabilities in versions up to 2.6.8. These vulnerabilities, identified as CVE-2024-0824 and CVE-2024-0823, involve Stored Cross-Site Scripting risks that could compromise website security. Both vulnerabilities have been addressed in the patched version 2.6.9.

Detailed Overview:

Discovered by the security researcher Webbernaut, these vulnerabilities highlight the importance of stringent input sanitization and output escaping in WordPress plugins to prevent XSS attacks. The potential for authenticated attackers to inject malicious scripts poses a significant risk to website integrity and user security, underlining the necessity for prompt updates and vigilance.

Advice for Users:

  • Immediate Action: Users of the Exclusive Addons for Elementor plugin should immediately update to version 2.6.9 to mitigate these vulnerabilities. Delaying this critical update could expose your site to XSS attacks.
  • Check for Signs of Vulnerability: Administrators are advised to review their site for any unusual or unauthorized content changes, especially within Elementor pages that utilize Exclusive Addons.
  • Alternate Plugins: While the patched version is secure, users may explore other Elementor addons with similar functionalities as a precautionary measure.
  • Stay Updated: Consistently updating all WordPress components, including plugins, themes, and the core, is essential for maintaining a secure online presence.

Conclusion:

The swift identification and remediation of CVE-2024-0824 and CVE-2024-0823 within the Exclusive Addons for Elementor plugin underscore the ongoing challenges posed by cybersecurity threats. These incidents serve as a crucial reminder for WordPress site owners and administrators about the importance of regular updates and adopting best security practices. By ensuring that your site's plugins are up-to-date, you can significantly enhance your defenses against potential vulnerabilities and contribute to a safer WordPress ecosystem.

References:

In the digital age, where WordPress stands as a cornerstone for countless websites, the security of each plugin becomes integral to the overall safety and integrity of online platforms. The recent uncovering of vulnerabilities within the "Exclusive Addons for Elementor" plugin, specifically CVE-2024-0824 and CVE-2024-0823, serves as a stark reminder of the ongoing battle against cybersecurity threats. This situation underscores the critical importance of regular updates and vigilant security practices to safeguard digital assets.

About the Plugin: Exclusive Addons for Elementor

Exclusive Addons for Elementor enriches the Elementor page builder experience, offering a suite of additional features to enhance website design and functionality. With an impressive count of over 50,000 active installations and nearly 689,000 downloads, its influence on the WordPress community is substantial. Developed by Tim Strifler, the plugin has become a staple for many WordPress site owners seeking to elevate their site's aesthetics and user experience.

Vulnerability Insights: CVE-2024-0824 & CVE-2024-0823

The vulnerabilities in question, CVE-2024-0824 and CVE-2024-0823, were identified by the researcher Webbernaut and publicly disclosed on January 26, 2024. These flaws expose the plugin to Stored Cross-Site Scripting (XSS) attacks through insufficient input sanitization and output escaping in two distinct functionalities: the Link Anything feature and the 'Link To' URL in carousels. Authenticated users with contributor-level access or higher could exploit these vulnerabilities to inject arbitrary web scripts, which would execute whenever a user accesses an injected page.

Risks and Potential Impacts

The exploitation of these vulnerabilities poses significant risks to website integrity and user security. Malicious scripts injected through these vulnerabilities could lead to unauthorized access, data breaches, and a compromised user experience, eroding trust and potentially damaging the site owner's reputation.

Remediation Strategies

To mitigate the risks associated with CVE-2024-0824 and CVE-2024-0823, users of the Exclusive Addons for Elementor plugin are urged to update to version 2.6.9, where these issues have been addressed. Site administrators should also conduct thorough reviews of their site's content for any unusual or unauthorized changes, particularly in areas utilizing the affected plugin functionalities.

Historical Context and Proactive Measures

With three previous vulnerabilities reported since December 14, 2022, the security track record of Exclusive Addons for Elementor highlights the need for continuous vigilance. Regularly updating plugins, employing robust security solutions, and staying informed about potential vulnerabilities are crucial steps in maintaining a secure WordPress site.

Conclusion: The Imperative of Digital Vigilance

For small business owners managing WordPress sites, the challenge of staying abreast of every security update can seem daunting. However, the discovery of vulnerabilities such as CVE-2024-0824 and CVE-2024-0823 within widely used plugins like Exclusive Addons for Elementor illustrates the critical importance of proactive security measures. Regular updates, vigilant monitoring, and employing best security practices are not just recommended actions but essential components of responsible digital stewardship. By prioritizing the security of your WordPress site, you safeguard not only your digital assets but also the trust and confidence of your users.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Exclusive Addons for Elementor Vulnerability- Stored Cross-Site Scripting Vulnerabilities – CVE-2024-0824 & CVE-2024-0823 |WordPress Plugin Vulnerability Report FAQs

Leave a Comment