Jeg Elementor Kit Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via JKit – Tabs and JKit – Accordion Widgets – CVE-2024-4479 | WordPress Plugin Vulnerability Report

Plugin Name: Jeg Elementor Kit

Key Information:

  • Software Type: Plugin
  • Software Slug: jeg-elementor-kit
  • Software Status: Active
  • Software Author: jegtheme
  • Software Downloads: 1,393,902
  • Active Installs: 200,000
  • Last Updated: July 2, 2024
  • Patched Versions: 2.6.6
  • Affected Versions: <= 2.6.5

Vulnerability Details:

  • Name: Jeg Elementor Kit <= 2.6.5
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via JKit - Tabs and JKit - Accordion Widgets
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-4479
  • CVSS Score: 6.4
  • Publicly Published: June 14, 2024
  • Researcher: wesley
  • Description: The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sg_general_toggle_tab_enable and sg_accordion_style attributes within the plugin's JKit - Tabs and JKit - Accordion widget, respectively, in all versions up to, and including, 2.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Summary:

The Jeg Elementor Kit for WordPress has a vulnerability in versions up to and including 2.6.5 that allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability has been patched in version 2.6.6.

Detailed Overview:

The vulnerability in the Jeg Elementor Kit plugin, identified by researcher wesley, is located in the sg_general_toggle_tab_enable and sg_accordion_style attributes within the JKit - Tabs and JKit - Accordion widgets. This flaw is due to insufficient input sanitization and output escaping, allowing authenticated attackers with Contributor-level access and above to inject arbitrary web scripts. These scripts will execute whenever a user accesses a page containing the injected scripts. The risks of this vulnerability include the potential for attackers to perform actions on behalf of other users, access sensitive information, and compromise site integrity. The vulnerability has been addressed in version 2.6.6.

Advice for Users:

  • Immediate Action: Users are strongly encouraged to update to the patched version 2.6.6 immediately to mitigate the vulnerability.
  • Check for Signs of Vulnerability: Users should check their websites for any unexpected or suspicious scripts and review user accounts for unauthorized changes.
  • Alternate Plugins: While a patch is available, users might consider using alternate plugins that offer similar functionality as a precaution.
  • Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.

Conclusion:

The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 2.6.6 or later to secure their WordPress installations.

References:

Detailed Report: 

Introduction

In the ever-changing landscape of website management, maintaining the security of your WordPress site is critical. Regularly updating your plugins is a fundamental aspect of this security. Recently, a significant security vulnerability was discovered in the Jeg Elementor Kit plugin, a popular tool used by many to enhance their WordPress sites with advanced design elements. This vulnerability, identified as CVE-2024-4479, poses a considerable risk to websites using versions up to and including 2.6.5.

This vulnerability allows authenticated attackers with Contributor-level access to exploit the sg_general_toggle_tab_enable and sg_accordion_style attributes within the JKit - Tabs and JKit - Accordion widgets, injecting arbitrary web scripts that execute whenever a user accesses the compromised page. Due to insufficient input sanitization and output escaping, this flaw can lead to unauthorized actions, access to sensitive information, and compromised site integrity.

For website owners, particularly small business owners who may not have the resources to constantly monitor for such vulnerabilities, this highlights the necessity of staying updated and vigilant. This article will provide a comprehensive overview of the vulnerability, its potential impacts, and actionable steps to safeguard your site. Ensuring your site is secure not only protects your business but also preserves the trust of your users.

Plugin Details

Jeg Elementor Kit is a widely used WordPress plugin that enhances the design and functionality of websites by providing advanced elements and features. This plugin has been downloaded 1,393,902 times and is actively installed on 200,000 websites. Developed by jegtheme, it was last updated on July 2, 2024, with the latest version being 2.6.6, which includes a crucial security patch.

Vulnerability Details

The vulnerability, identified as CVE-2024-4479, affects all versions of the Jeg Elementor Kit plugin up to and including 2.6.5. This vulnerability, titled "Authenticated (Contributor+) Stored Cross-Site Scripting via JKit - Tabs and JKit - Accordion Widgets," is classified under CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N.

with a CVSS score of 6.4. It was publicly published on June 14, 2024, by researcher wesley.

The issue arises because the plugin's sg_general_toggle_tab_enable and sg_accordion_style attributes do not adequately sanitize inputs or escape outputs, making it possible for authenticated attackers with Contributor-level access and above to inject arbitrary web scripts. These scripts execute whenever a user accesses the compromised page.

Summary

The Jeg Elementor Kit for WordPress has a vulnerability in versions up to and including 2.6.5 that allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability has been patched in version 2.6.6.

Detailed Overview

The vulnerability in the Jeg Elementor Kit plugin, identified by researcher wesley, involves the sg_general_toggle_tab_enable and sg_accordion_style attributes within the JKit - Tabs and JKit - Accordion widgets. This flaw is due to insufficient input sanitization and output escaping, enabling authenticated attackers with Contributor-level access to inject arbitrary web scripts. These scripts will execute whenever a user accesses a page containing the injected scripts.

The risks of this vulnerability are significant. Attackers can perform actions on behalf of other users, access sensitive information, and compromise the integrity of the site. Unauthorized changes to content and settings pose serious security risks for website owners. The vulnerability has been addressed in version 2.6.6, which includes necessary security enhancements to prevent such attacks.

Risks and Potential Impacts

This vulnerability can lead to unauthorized actions being performed on behalf of users, such as altering website content or settings. Attackers may gain access to sensitive information, compromising user privacy and site security. Additionally, the integrity and functionality of your website could be jeopardized, leading to potential downtime or loss of user trust.

For small business owners, the impact can be even more severe. A compromised website can result in financial losses, damage to reputation, and loss of customer trust. Therefore, it is crucial to address such vulnerabilities promptly to safeguard your business.

Previous Vulnerabilities

Since November 4, 2022, there have been 8 previous vulnerabilities identified in the Jeg Elementor Kit plugin. This history underscores the importance of regularly updating plugins and staying informed about potential security issues. Understanding past vulnerabilities can also help in better assessing the security measures needed for the future.

Conclusion

The prompt response from the plugin developers to patch this vulnerability highlights the critical importance of timely updates. For small business owners with WordPress websites, staying on top of security vulnerabilities can be challenging, but it is essential for protecting your site and your customers' data. Regularly updating your plugins and being aware of security advisories can significantly reduce your risk.

If you find it difficult to keep up with these updates, consider employing security plugins or services that can automate these tasks and provide peace of mind. By staying vigilant and proactive, you can ensure the security and reliability of your website, safeguarding your business and customer trust.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Jeg Elementor Kit Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via JKit – Tabs and JKit – Accordion Widgets – CVE-2024-4479 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment