Happy Addons for Elementor Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via PDF View Widget – CVE-2024-6627 | WordPress Plugin Vulnerability Report

Plugin Name: Happy Addons for Elementor

Key Information:

  • Software Type: Plugin
  • Software Slug: happy-elementor-addons
  • Software Status: Active
  • Software Author: thehappymonster
  • Software Downloads: 7,563,441
  • Active Installs: 400,000
  • Last Updated: July 29, 2024
  • Patched Versions: 3.11.3
  • Affected Versions: <= 3.11.2

Vulnerability Details:

  • Name: Happy Addons for Elementor <= 3.11.2
  • Type: Authenticated (Contributor+) Stored Cross-Site Scripting via PDF View Widget
  • CVE: CVE-2024-6627
  • CVSS Score: 6.4
  • Publicly Published: July 26, 2024
  • Researcher: Webbernaut
  • Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's PDF View widget in all versions up to and including 3.11.2. This vulnerability is due to insufficient input sanitization and output escaping on user-supplied attributes. Authenticated attackers with contributor-level access and above can inject arbitrary web scripts into pages, which will execute whenever a user accesses an injected page.

Summary:

The Happy Addons for Elementor plugin for WordPress has a vulnerability in versions up to and including 3.11.2 that allows authenticated attackers with contributor-level access to inject arbitrary web scripts via the PDF View widget. This vulnerability has been patched in version 3.11.3.

Detailed Overview:

The vulnerability was identified by researcher Webbernaut and involves a lack of proper input sanitization and output escaping in the PDF View widget. This allows attackers with contributor-level access to inject malicious scripts into pages. When users access these pages, the scripts execute, leading to potential data theft, unauthorized actions, or other malicious activities. The severity of this vulnerability is indicated by a CVSS score of 6.4, highlighting the importance of addressing it promptly.

Advice for Users:

Immediate Action: Users should update the Happy Addons for Elementor plugin to version 3.11.3 or later to secure their sites from this vulnerability. Check for Signs of Vulnerability: Review your site's pages and logs for any unexpected script injections or unauthorized content changes, particularly in pages using the PDF View widget. Alternate Plugins: While the issue has been patched, users might consider exploring other Elementor addons with robust security features as a precautionary measure. Stay Updated: Regularly updating all plugins and the WordPress core is essential to maintain site security and prevent vulnerabilities.

Conclusion:

The prompt response from the developers of Happy Addons for Elementor to patch this vulnerability underscores the importance of timely updates. Users are strongly encouraged to ensure they are running version 3.11.3 or later to protect their WordPress sites from potential exploits.

References:

Detailed Report: 

Ensuring the security of your WordPress website is crucial, especially when using popular plugins that enhance functionality. Recently, a significant vulnerability was discovered in the Happy Addons for Elementor plugin, affecting versions up to 3.11.2. This vulnerability, identified as CVE-2024-6627, allows authenticated attackers with contributor-level access to inject malicious scripts via the PDF View widget, leading to stored cross-site scripting (XSS). Such vulnerabilities highlight the critical importance of keeping your website's plugins up to date to prevent potential security breaches and protect your data.

Details About the Plugin:

The Happy Addons for Elementor plugin, developed by thehappymonster, is a widely-used tool designed to enhance the capabilities of the Elementor page builder. With over 7 million downloads and 400,000 active installs, it offers a range of features to improve site design and functionality. Despite its popularity, the recent discovery of a vulnerability underscores the necessity for regular updates and vigilant security practices.

Details About the Vulnerability:

The vulnerability in the Happy Addons for Elementor plugin, up to and including version 3.11.2, involves insufficient input sanitization and output escaping. This flaw allows authenticated users with contributor-level access to inject arbitrary web scripts into pages. When these pages are accessed, the injected scripts execute, potentially leading to data theft, unauthorized actions, and other malicious activities. The vulnerability, discovered by researcher Webbernaut, was publicly disclosed on July 26, 2024, and has a CVSS score of 6.4, indicating a significant risk level.

Risks and Potential Impacts of the Vulnerability:

The primary risk associated with this vulnerability is the execution of malicious scripts when users access pages containing the injected content. This can lead to unauthorized data access, data theft, and other malicious actions that compromise the integrity and security of the website. The ability for contributors to inject scripts increases the potential for internal threats, making it essential to address this issue promptly.

How to Remediate the Vulnerability:

To mitigate the risks posed by this vulnerability, users must update the Happy Addons for Elementor plugin to version 3.11.3 or later, where the issue has been patched. It is also advisable to review site content and access logs for any signs of unauthorized script injections or content changes. For those seeking additional security, exploring alternative plugins with robust security features may be beneficial.

Overview of Previous Vulnerabilities:

The Happy Addons for Elementor plugin has a history of previous vulnerabilities, highlighting the ongoing need for vigilance and timely updates to protect against new and emerging threats. There have been 28 previous vulnerabilities reported since April 26, 2021, emphasizing the importance of regular maintenance and security checks.

Conclusion:

For small business owners managing a WordPress website, staying on top of security vulnerabilities can be challenging but is vital for protecting your site and data. Regular updates, security audits, and professional assistance when needed are essential practices to ensure the security of your online presence. By prioritizing these measures, you can safeguard your website, maintain user trust, and prevent potential security breaches.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Happy Addons for Elementor Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via PDF View Widget – CVE-2024-6627 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment