Happy Addons for Elementor Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-5088, CVE-2024-4865 | WordPress Plugin Vulnerability Report

Plugin Name: Happy Addons for Elementor

Key Information:

  • Software Type: Plugin
  • Software Slug: happy-elementor-addons
  • Software Status: Active
  • Software Author: thehappymonster
  • Software Downloads: 6,974,697
  • Active Installs: 400,000
  • Last Updated: May 17, 2024
  • Patched Versions: 3.10.9
  • Affected Versions: <= 3.10.8

Vulnerability Details:

  • Name: Happy Addons for Elementor <= 3.10.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2024-5088, CVE-2024-4865
  • CVSS Score: 6.4 (Medium)
  • Publicly Published: May 17, 2024
  • Researcher: Thanh Nam Tran, stealthcopter
  • Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_id' parameter in all versions up to, and including, 3.10.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Summary:

The Happy Addons for Elementor plugin for WordPress has a vulnerability in versions up to and including 3.10.8 that allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability has been patched in version 3.10.9.

Detailed Overview:

Researchers Thanh Nam Tran and stealthcopter discovered a Stored Cross-Site Scripting vulnerability in the Happy Addons for Elementor plugin for WordPress. The vulnerability is due to insufficient input sanitization and output escaping of the '_id' parameter, allowing attackers to inject malicious scripts that execute when users access the compromised pages. This vulnerability poses a risk to sites running the affected versions of the plugin, as it can be exploited by authenticated users with Contributor-level access or higher. The vulnerability has been patched in version 3.10.9.

Advice for Users:

  1. Immediate Action: Update the Happy Addons for Elementor plugin to version 3.10.9 or later to ensure your site is protected against this vulnerability.
  2. Check for Signs of Vulnerability: Review your site's pages for any suspicious or unexpected content that may have been injected by attackers.
  3. Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
  4. Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.

The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 3.10.9 or later to secure their WordPress installations.

References:

Detailed Report:

As a website owner, keeping your WordPress site secure should always be a top priority. Today, we bring to your attention a critical vulnerability discovered in the popular Happy Addons for Elementor plugin. This vulnerability, if left unpatched, could put your website at risk of being compromised by attackers.

Plugin Details

The Happy Addons for Elementor plugin is a widely-used extension for the Elementor page builder, with over 400,000 active installations. It offers a range of additional widgets and features to enhance the functionality of Elementor. The plugin is developed by thehappymonster and has been downloaded a total of 6,974,697 times.

Vulnerability Details

Researchers Thanh Nam Tran and stealthcopter have discovered a Stored Cross-Site Scripting (XSS) vulnerability in the Happy Addons for Elementor plugin. The vulnerability exists in all versions of the plugin up to and including 3.10.8. It is caused by insufficient input sanitization and output escaping of the '_id' parameter, allowing attackers to inject malicious scripts that execute when users access the compromised pages. The vulnerability has been assigned the following CVE IDs:

  • CVE-2024-5088
  • CVE-2024-4865

The vulnerability has a CVSS score of 6.4, which is considered medium severity.

Risks and Potential Impacts

This Stored XSS vulnerability poses a significant risk to websites running the affected versions of the Happy Addons for Elementor plugin. Attackers with Contributor-level access or higher can exploit this vulnerability to inject malicious scripts into the website's pages. When unsuspecting users access these injected pages, the scripts execute, potentially leading to:

  • Data theft
  • Malware distribution
  • Unauthorized access to the site
  • Defacement of the website
  • Compromised user accounts

How to Remediate the Vulnerability

To protect your WordPress site from this vulnerability, it is crucial to take immediate action by following these steps:

  1. Update the Happy Addons for Elementor plugin to version 3.10.9 or later, which includes the necessary patch to address the vulnerability.
  2. Review your site's pages for any suspicious or unexpected content that may have been injected by attackers.
  3. If you are unsure about updating the plugin or need assistance, consider reaching out to a professional or the plugin's support team.
  4. As a precautionary measure, you may also consider using alternative plugins that offer similar functionality to Happy Addons for Elementor.

Previous Vulnerabilities

It is worth noting that the Happy Addons for Elementor plugin has had 23 previous vulnerabilities since April 2021. This highlights the importance of regularly updating your plugins and staying informed about the latest security issues.

The Importance of Staying Vigilant

As a small business owner with a WordPress website, it can be challenging to stay on top of security vulnerabilities and keep your site protected. However, neglecting website security can lead to severe consequences, such as data breaches, loss of customer trust, and damage to your brand's reputation.

By staying informed about the latest security threats, regularly updating your plugins and themes, and following best practices for website security, you can significantly reduce the risk of falling victim to attacks. If you find it difficult to manage your website's security on your own, consider partnering with a reliable web development or security agency that can help you stay on top of these critical issues.

Remember, the security of your website is not just about protecting your business; it's also about safeguarding your customers' data and maintaining their trust in your brand.

Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.

Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.

Happy Addons for Elementor Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-5088, CVE-2024-4865 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment