Jeg Elementor Kit Vulnerability – Authenticated (Author+) Stored Cross-Site Scripting via SVG File – CVE-2024-6804 | WordPress Plugin Vulnerability Report
Plugin Name: Jeg Elementor Kit
Key Information:
- Software Type: Plugin
- Software Slug: jeg-elementor-kit
- Software Status: Active
- Software Author: jegtheme
- Software Downloads: 1,587,316
- Active Installs: 200,000
- Last Updated: September 14, 2024
- Patched Versions: 2.6.8
- Affected Versions: <= 2.6.7
Vulnerability Details:
- Name: Jeg Elementor Kit <= 2.6.7
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-6804
- CVSS Score: 6.4
- Publicly Published: August 26, 2024
- Researcher: wesley (wcraft)
- Description: The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via SVG file uploads in all versions up to and including 2.6.7. Due to insufficient input sanitization and output escaping, authenticated users with Author-level access and above can upload malicious SVG files, which may execute arbitrary web scripts when other users access these files.
Summary:
The Jeg Elementor Kit for WordPress has a vulnerability in versions up to and including 2.6.7 that allows authenticated attackers (with Author-level permissions or higher) to upload malicious SVG files containing arbitrary web scripts. These scripts are executed when the file is viewed by users. The vulnerability has been patched in version 2.6.8.
Detailed Overview:
This vulnerability, discovered by researcher wesley (wcraft), is a stored cross-site scripting (XSS) flaw that affects the Jeg Elementor Kit plugin. The issue stems from the plugin's inadequate input sanitization and output escaping processes when handling SVG files. Authenticated users with Author-level access can upload malicious SVG files that contain arbitrary scripts. When other users access the affected pages or files, the malicious scripts will execute, potentially compromising user data or allowing further attacks.
The risk associated with this vulnerability is rated as moderate, with a CVSS score of 6.4. The impact is limited to authenticated users with Author-level permissions or higher, but the risk of this vulnerability is significant due to the potential for sensitive information exposure and further exploitation through malicious scripts.
To mitigate the risk of this vulnerability, users should immediately update their plugin to version 2.6.8, where the issue has been resolved.
Advice for Users:
- Immediate Action: Update the Jeg Elementor Kit plugin to version 2.6.8 or later to mitigate the risk of stored cross-site scripting.
- Check for Signs of Vulnerability: Review recent SVG file uploads on your website, especially those made by Author-level users or above. Look for any suspicious activity or files that may contain malicious scripts.
- Alternate Plugins: If you're concerned about ongoing risks, you might consider using alternative plugins that offer similar functionality but with a stronger focus on security and input sanitization.
- Stay Updated: Regularly update all plugins, including Jeg Elementor Kit, to the latest version to ensure any vulnerabilities are patched promptly. Consider implementing a system to automatically monitor for new security updates.
Conclusion:
The prompt response from the Jeg Elementor Kit developers in addressing this vulnerability highlights the importance of keeping your plugins updated. Users are strongly encouraged to update to version 2.6.8 or later to ensure their WordPress installations remain secure and protected from potential exploits. Staying vigilant with plugin updates and monitoring for signs of compromise is key to maintaining a secure WordPress website.
References:
Detailed Report:
For small business owners managing a WordPress website, keeping plugins up to date can sometimes fall by the wayside. However, neglecting regular updates can expose your site to serious security risks. A newly discovered vulnerability in the Jeg Elementor Kit plugin highlights just how critical timely updates can be. This Stored Cross-Site Scripting (XSS) vulnerability affects versions up to and including 2.6.7 and can allow attackers with Author-level permissions or higher to upload malicious SVG files. These files can execute harmful scripts whenever accessed by other users, potentially leading to data theft, site compromise, or even further attacks.
This vulnerability has been patched in version 2.6.8, but if you haven’t updated yet, your website may still be vulnerable. If you’re unsure of whether your site is affected, this post will guide you through the necessary steps to secure your website and protect your business.
Plugin Overview:
The Jeg Elementor Kit plugin is a popular tool that helps users build stunning websites using the Elementor page builder. With over 1.5 million downloads and 200,000 active installations, it is widely trusted by website owners for adding professional design elements. The plugin was last updated on September 14, 2024, and the current patched version is 2.6.8.
- Software Slug: jeg-elementor-kit
- Active Installs: 200,000
- Patched Version: 2.6.8
- Affected Versions: <= 2.6.7
Vulnerability Details:
- Name: Jeg Elementor Kit <= 2.6.7
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-6804
- CVSS Score: 6.4 (Moderate)
- Publicly Published: August 26, 2024
- Researcher: wesley (wcraft)
The vulnerability allows authenticated users with Author-level permissions or higher to upload SVG files containing malicious scripts. Due to the plugin’s insufficient input sanitization and output escaping, these scripts are stored in the system and can be triggered whenever a user accesses the affected files or pages. This creates a risk for data theft, user impersonation, or further site exploitation. Although the vulnerability is limited to users with Author-level access, the consequences of leaving it unpatched can be significant.
Risks and Potential Impacts:
The CVSS score of 6.4 indicates that this vulnerability poses a moderate risk, primarily affecting websites that allow multiple users with Author-level permissions or higher. If your site is compromised, attackers can inject harmful scripts, steal user data, or exploit your site further. The XSS vulnerability could also be used as part of a larger attack, compromising other aspects of your website’s security.
Even if your business only grants higher access permissions to trusted users, this vulnerability should be addressed promptly to avoid any accidental or intentional misuse.
Remediation:
To protect your site from this vulnerability, it’s essential to update your Jeg Elementor Kit plugin to version 2.6.8 or later. Here's what you need to do:
- Immediate Action: Update the Jeg Elementor Kit plugin to version 2.6.8 through your WordPress dashboard. This version fixes the vulnerability by improving input sanitization and output escaping for SVG file uploads.
- Check for Signs of Vulnerability: Review recent SVG file uploads, especially those made by Author-level users or above. Look for suspicious file names or unusual activity that could indicate malicious scripts.
- Alternative Plugins: If you’re concerned about the security risks associated with Jeg Elementor Kit, consider switching to alternative plugins that offer similar functionality but may provide more robust security. Popular alternatives like Elementor Pro or Essential Addons for Elementor are often used for website customization.
- Stay Updated: Make sure to enable automatic updates for your plugins or check regularly for new updates. Keeping all plugins current reduces the risk of future vulnerabilities being exploited on your website.
Previous Vulnerabilities:
The Jeg Elementor Kit plugin has experienced several security issues in the past. Since November 4, 2022, there have been 9 vulnerabilities reported, all of which were addressed in subsequent patches. This pattern of vulnerabilities reinforces the need to regularly update your plugins to ensure that any known issues are promptly resolved.
Conclusion:
As a small business owner, it’s understandable that keeping track of every plugin update may seem overwhelming. However, the recent Stored Cross-Site Scripting (XSS) vulnerability in the Jeg Elementor Kit plugin demonstrates how important it is to stay on top of security patches. By ensuring that your plugins are always up to date, you’re actively protecting your business, customer data, and your website’s functionality from potential threats.
If you don’t have the time to manage updates manually, consider setting up automatic updates or working with a WordPress security professional to monitor and maintain your site’s security. Protecting your business from online threats is an ongoing responsibility, but by keeping your plugins updated, you can significantly reduce your risk of exposure to vulnerabilities.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.