Image Hover Effects Vulnerability – Authenticated(Contributor+) DOM-based Stored Cross-Site Scripting via Image Hover Effects Widget – CVE-2024-1166 | WordPress Plugin Vulnerability Report
Plugin Name: Image Hover Effects
Key Information:
- Software Type: Plugin
- Software Slug: image-hover-effects-addon-for-elementor
- Software Status: Active
- Software Author: blocksera
- Software Downloads: 583,781
- Active Installs: 50,000
- Last Updated: May 6, 2024
- Patched Versions: 1.4.2
- Affected Versions: <= 1.4.1
Vulnerability Details:
- Name: Image Hover Effects - Elementor Addon <= 1.4.1 - Authenticated(Contributor+) DOM-based Stored Cross-Site Scripting via Image Hover Effects Widget
- Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE: CVE-2024-1166
- CVSS Score: 6.4 (Medium)
- Publicly Published: May 6, 2024
- Researcher: Webbernaut
- Description: The Image Hover Effects – Elementor Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Hover Effects Widget in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Summary:
The Image Hover Effects for WordPress has a vulnerability in versions up to and including 1.4.1 that allows authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability has been patched in version 1.4.2.
Detailed Overview:
The vulnerability was discovered by security researcher Webbernaut, who found that the Image Hover Effects – Elementor Addon plugin failed to sufficiently sanitize and escape user-supplied attributes in the Image Hover Effects Widget. This oversight allows authenticated attackers with contributor-level and above permissions to inject malicious scripts that would be stored and executed whenever a user accessed an affected page, potentially leading to a range of attacks, including theft of sensitive information or redirecting users to malicious websites.
Advice for Users:
- Immediate Action: Users are strongly encouraged to update the Image Hover Effects – Elementor Addon plugin to version 1.4.2 or later to mitigate this vulnerability.
- Check for Signs of Vulnerability: Website administrators should review their WordPress pages, especially those with the Image Hover Effects Widget, for any signs of injected scripts or unexpected behavior.
- Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
- Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.
The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 1.4.2 or later to secure their WordPress installations.
References:
Detailed Report:
In the ever-evolving landscape of online threats, website owners must remain vigilant and prioritize the security of their WordPress sites. A recently discovered vulnerability in the Image Hover Effects - Elementor Addon plugin serves as a stark reminder of the importance of staying informed and taking prompt action to mitigate risks. In this blog post, we'll take a closer look at the vulnerability, its potential impact, and the steps you can take to protect your website.
Plugin Details:
The Image Hover Effects - Elementor Addon is a popular WordPress plugin that allows users to add visually appealing hover effects to images on their websites. The plugin boasts an impressive 583,781 downloads and 50,000 active installations. It was last updated on May 6, 2024.
Vulnerability Details:
On May 6, 2024, security researcher Webbernaut uncovered a serious vulnerability in the Image Hover Effects - Elementor Addon plugin, identified as CVE-2024-1166. The vulnerability allows authenticated attackers with contributor-level and above permissions to inject malicious scripts into pages using the plugin's Image Hover Effects Widget. This vulnerability affects all versions of the plugin up to and including 1.4.1.
Risks and Potential Impacts:
If left unpatched, the vulnerability in the Image Hover Effects - Elementor Addon plugin could lead to a range of serious consequences. Attackers could inject malicious scripts into affected pages, potentially leading to the theft of sensitive user information, redirection of users to malicious websites, or even complete takeover of the compromised site. The vulnerability has a CVSS score of 6.4 (Medium), indicating a significant risk to website security.
Remediation Steps:
To mitigate the risk posed by this vulnerability, website owners should take immediate action:
- Update the Image Hover Effects - Elementor Addon plugin to version 1.4.2 or later, which includes a patch for the vulnerability.
- Review your WordPress pages, especially those using the Image Hover Effects Widget, for any signs of injected scripts or unexpected behavior.
- Consider using alternative plugins that offer similar functionality as a precautionary measure.
- Ensure that all plugins and themes on your website are regularly updated to their latest versions to minimize the risk of vulnerabilities.
Previous Vulnerabilities:
It's worth noting that the Image Hover Effects - Elementor Addon plugin has had a history of security issues. Since April 2021, there have been two previous vulnerabilities discovered in the plugin. This underscores the importance of regularly monitoring and updating your WordPress plugins to ensure the ongoing security of your website.
Conclusion:
As a small business owner with a WordPress website, staying on top of security vulnerabilities can be a daunting task. However, the consequences of neglecting website security can be severe, ranging from data breaches to complete loss of your online presence. By prioritizing regular updates, monitoring your site for suspicious activity, and partnering with experienced WordPress professionals, you can significantly reduce the risk of falling victim to plugin vulnerabilities like the one found in the Image Hover Effects - Elementor Addon.
Don't wait until it's too late – take proactive steps to secure your website today. If you're unsure about the security of your WordPress site or need assistance with plugin updates and vulnerability management, our team of experts is here to help. Contact us to learn more about our website security services and how we can help you protect your online business from evolving threats.
Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.
Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.