Happy Addons for Elementor Vulnerability – Reflected Cross-Site Scripting – CVE-2023-6632 | WordPress Plugin Vulnerability Report

Plugin Name: Happy Addons for Elementor

Key Information:

  • Software Type: Plugin
  • Software Slug: happy-elementor-addons
  • Software Status: Active
  • Software Author: thehappymonster
  • Software Downloads: 5,728,647
  • Active Installs: 400,000
  • Last Updated: January 5, 2024
  • Patched Versions: 3.10.0
  • Affected Versions: <= 3.9.1.1

Vulnerability Details:

  • Name: Happy Addons for Elementor <= 3.9.1.1 – Reflected Cross-Site Scripting
  • Title: Reflected Cross-Site Scripting
  • Type: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  • CVE: CVE-2023-6632
  • CVSS Score: 6.1 (Medium)
  • Publicly Published: January 5, 2024
  • Researcher: xEHLE – xEHLE
  • Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via DOM in all versions up to and including 3.9.1.1 (versions up to 2.9.1.1 in Happy Addons for Elementor Pro) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Summary:

The Happy Addons for Elementor plugin for WordPress has a vulnerability in versions up to and including 3.9.1.1 that allows for reflected cross-site scripting attacks. This vulnerability has been patched in version 3.10.0.

Detailed Overview:

The researcher xEHLE discovered a reflected cross-site scripting (XSS) vulnerability in the Happy Addons for Elementor plugin that affects all versions up to and including 3.9.1.1 (and 2.9.1.1 for the pro version). This is caused by insufficient sanitization of user input and output escaping. The vulnerability could allow an attacker to inject arbitrary JavaScript code into vulnerable pages that would execute if a user clicks a specially crafted link. This could potentially lead to session hijacking, site defacement, or further exploitation if administrative accounts are compromised. The vulnerability has received a CVSS score of 6.1 (Medium severity). Wordfence Threat Intelligence has confirmed that version 3.10.0 patches this reflected XSS issue. All users are advised to update as soon as possible.

Advice for Users:

  1. Immediate Action: Update to Happy Addons for Elementor version 3.10.0 or newer to patch this vulnerability.
  2. Check for Signs of Vulnerability: Review browser logs and site files for any suspicious JavaScript injections that could indicate exploitation.
  3. Alternate Plugins: Consider alternate plugins like Elementor Addons & Templates – Sizzify as a precaution until more is known.
  4. Stay Updated: Always keep plugins updated and subscribe to security notifications about vulnerabilities.

Conclusion:

The researcher acted responsibly in disclosing this reflected XSS vulnerability to the plugin developers, who promptly released version 3.10.0 to patch it. While the risk was medium severity, XSS issues should always be addressed quickly. Users are strongly advised to update immediately to protect their sites.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/happy-elementor-addons

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/happy-elementor-addons/happy-addons-for-elementor-3911-reflected-cross-site-scripting

Detailed Report:

Keeping your WordPress site secure should be a top priority – outdated plugins and themes open your site up to potential hacks or exploits. Unfortunately, a popular Elementor plugin called Happy Addons was recently found to have a reflected cross-site scripting (XSS) vulnerability tracked as CVE-2023-6632. This affects all versions up to and including 3.9.1.1.

About the Happy Addons Plugin

Happy Addons is an extensions plugin for Elementor page builder with over 400,000 active installs. It’s developed by thehappymonster and has over 5 million total downloads. The plugin was last updated January 5th, 2023.

Details on the Vulnerability

Researcher xEHLE discovered insufficient input sanitization in Happy Addons that could allow reflected XSS attacks. This means attackers could potentially inject malicious JavaScript code into pages that would execute if a user clicks a specially crafted link. They could then hijack user sessions, deface sites, or further infiltrate admin accounts.

The vulnerability is considered medium severity but should not be taken lightly. Exploitation could be extremely disruptive and costly for small business sites in particular.

Impacts of the Vulnerability

If exploited before patching, this vulnerability could have enabled:

  • Session hijacking
  • Site defacements
  • Phishing attempts
  • Further exploitation of privileged accounts
  • Infecting site visitors with malware

How to Remediate

The good news is the developers released Happy Addons version 3.10.0 to patch this vulnerability. All users should update immediately and check their site for any suspicious code injections. Consider alternatives like Sizzify as a precaution until more details emerge.

Previous Vulnerabilities

Research shows 5 previous vulnerabilities in Happy Addons since April 2021. This underscores the importance of rapid response from both plugin developers and users to patch security issues.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site – so you can focus on growing your business with peace of mind.

Don’t tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it’s our own – because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Happy Addons for Elementor Vulnerability – Reflected Cross-Site Scripting – CVE-2023-6632 | WordPress Plugin Vulnerability Report FAQs

What is the nature of this vulnerability?

What is the nature of this vulnerability?

The vulnerability is a reflected cross-site scripting issue or reflected XSS. This means that attackers could potentially inject malicious JavaScript code into pages that would execute if a user clicks on a specially crafted link. This could then lead to session hijacking, site defacement, stealing visitor data, or further exploitation.

What versions of Happy Addons are affected?

What versions of Happy Addons are affected?

All versions of Happy Addons for Elementor up to and including 3.9.1.1 are affected by this vulnerability. This encompasses most active installs of the plugin so users should update as soon as possible to minimize risk.

How serious is this vulnerability?

How serious is this vulnerability?

The vulnerability has been given a CVSS severity score of 6.1 out of 10, meaning it is medium severity. However, XSS vulnerabilities should always be patched promptly as they can enable an array of attacks. Any site running a vulnerable version of Happy Addons could be at risk until updated.

What can attackers do if they exploit this?

What can attackers do if they exploit this?

If successfully exploited before patching, attackers could potentially hijack user sessions, deface sites with unwanted content, steal visitor data, execute phishing attempts, spread malware to site visitors, or gain access to administrator accounts. The impacts could be quite far-reaching.

How was this vulnerability discovered?

How was this vulnerability discovered?

The reflected XSS vulnerability was disclosed to Wordfence Threat Intelligence by a researcher using the handle xEHLE. Responsible public disclosure of vulnerabilities helps ensure patches can be developed and users protected.

How do I know if my site has been compromised?

How do I know if my site has been compromised?

If you suspect your site may have been compromised via this vulnerability before updating, look for unexpected changes to site files like new code injections. Also review browser console logs for errors and monitor site traffic patterns for suspicious spikes that could indicate bots or malware. Unfortunately full confirmation requires a complete malware scan.

What can users do to protect their sites?

What can users do to protect their sites?

Users should update to the latest patched release, Happy Addons version 3.10.0, as soon as possible. Also be sure to vet add-ons and themes carefully before installing them. Sign up for security update newsletters from plugin developers. And consider limiting plugin access rights in case a vulnerability does emerge.

Should I find an alternate plugin?

Should I find an alternate plugin?

The developers have addressed the issue responsibly with the new plugin version. But if you remain concerned, considering alternate plugins like Sizzify that offer similar functionality is wise until more details emerge. Always weigh the pros and cons of switching.

Where can I get help securing WordPress?

Where can I get help securing WordPress?

WordPress security requires constant vigilance that busy site owners struggle with. If you need help updating plugins, scanning for malware, managing permissions, or monitoring threat intelligence – consider partnering with a managed WordPress host that can provide an extra security layer.

Why do vulnerabilities happen with WordPress plugins?

Why do vulnerabilities happen with WordPress plugins?

Plugins extend WordPress functionality but also increase the attack surface. Much plugin code is created by solo developers without extensive security training or resources. Vulnerabilities inevitably emerge over time but can be mitigated by prompt patching by both developers and users.

Leave a Comment