Jeg Elementor Kit Vulnerability – Multiple Stored Cross-Site Scripting Issues – CVE-2024-1327 & CVE-2024-3162 |WordPress Plugin Vulnerability Report
Plugin Name: Jeg Elementor Kit
Key Information:
- Software Type: Plugin
- Software Slug: jeg-elementor-kit
- Software Status: Active
- Software Author: jegtheme
- Software Downloads: 1,029,705
- Active Installs: 200,000
- Last Updated: April 2, 2024
- Patched Versions: 2.6.4
- Affected Versions: <= 2.6.3
Vulnerability 1 Details:
- Name: Jeg Elementor Kit <= 2.6.3
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Image Box
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-1327
- CVSS Score: 6.4
- Publicly Published: April 2, 2024
- Researcher: Nikolas - mdr
- Description: The Jeg Elementor Kit plugin is susceptible to Stored Cross-Site Scripting (XSS) attacks through its image box widget. Insufficient input sanitization and output escaping enable authenticated users with contributor-level access or higher to inject harmful scripts, compromising page security.
Vulnerability 2 Details:
- Name: Jeg Elementor Kit <= 2.6.3
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonial
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-3162
- CVSS Score: 6.4
- Publicly Published: April 2, 2024
- Researcher: Wesley
- Description: A similar Stored XSS vulnerability exists in the Testimonial Widget Attributes of the Jeg Elementor Kit plugin. Attackers with at least contributor access can exploit this flaw to execute arbitrary web scripts, posing a threat to site integrity and visitor security.
Summary:
The Jeg Elementor Kit for WordPress, an essential tool for countless websites, has been found vulnerable in versions up to and including 2.6.3. These vulnerabilities, identified as CVE-2024-1327 and CVE-2024-3162, allow for Stored Cross-Site Scripting attacks through the plugin's Image Box and Testimonial Widget, respectively. The developers have addressed these critical security issues in the updated version 2.6.4.
Detailed Overview:
Nikolas - mdr and Wesley, respected security researchers, have uncovered significant vulnerabilities in the Jeg Elementor Kit plugin that could severely compromise WordPress websites. These vulnerabilities enable authenticated users with specific access to inject malicious scripts, which could lead to unauthorized data access, site defacement, or other malicious activities. The prompt patching of these vulnerabilities in version 2.6.4 is a crucial step in protecting WordPress sites using this plugin.
Advice for Users:
- Immediate Action: Users should update to the patched version 2.6.4 immediately to mitigate the risks associated with these vulnerabilities.
- Check for Signs of Vulnerability: Regularly review your site for unexpected changes or content, which may indicate exploitation.
- Alternate Plugins: Although a patch is available, exploring alternative plugins offering similar functionality might be wise as a precautionary measure.
- Stay Updated: Consistently updating your WordPress plugins is essential for maintaining a secure website environment.
Conclusion:
The quick response by the Jeg Elementor Kit development team to patch these vulnerabilities underscores the critical nature of maintaining up-to-date software on your WordPress site. Users are strongly encouraged to upgrade to version 2.6.4 or later to ensure their sites are protected against these and potential future vulnerabilities.