Jeg Elementor Kit Vulnerability – Multiple Stored Cross-Site Scripting Issues – CVE-2024-1327 & CVE-2024-3162 |WordPress Plugin Vulnerability Report

Plugin Name: Jeg Elementor Kit

Key Information:

  • Software Type: Plugin
  • Software Slug: jeg-elementor-kit
  • Software Status: Active
  • Software Author: jegtheme
  • Software Downloads: 1,029,705
  • Active Installs: 200,000
  • Last Updated: April 2, 2024
  • Patched Versions: 2.6.4
  • Affected Versions: <= 2.6.3

Vulnerability 1 Details:

  • Name: Jeg Elementor Kit <= 2.6.3
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Image Box
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-1327
  • CVSS Score: 6.4
  • Publicly Published: April 2, 2024
  • Researcher: Nikolas - mdr
  • Description: The Jeg Elementor Kit plugin is susceptible to Stored Cross-Site Scripting (XSS) attacks through its image box widget. Insufficient input sanitization and output escaping enable authenticated users with contributor-level access or higher to inject harmful scripts, compromising page security.

Vulnerability 2 Details:

  • Name: Jeg Elementor Kit <= 2.6.3
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonial
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-3162
  • CVSS Score: 6.4
  • Publicly Published: April 2, 2024
  • Researcher: Wesley
  • Description: A similar Stored XSS vulnerability exists in the Testimonial Widget Attributes of the Jeg Elementor Kit plugin. Attackers with at least contributor access can exploit this flaw to execute arbitrary web scripts, posing a threat to site integrity and visitor security.

Summary:

The Jeg Elementor Kit for WordPress, an essential tool for countless websites, has been found vulnerable in versions up to and including 2.6.3. These vulnerabilities, identified as CVE-2024-1327 and CVE-2024-3162, allow for Stored Cross-Site Scripting attacks through the plugin's Image Box and Testimonial Widget, respectively. The developers have addressed these critical security issues in the updated version 2.6.4.

Detailed Overview:

Nikolas - mdr and Wesley, respected security researchers, have uncovered significant vulnerabilities in the Jeg Elementor Kit plugin that could severely compromise WordPress websites. These vulnerabilities enable authenticated users with specific access to inject malicious scripts, which could lead to unauthorized data access, site defacement, or other malicious activities. The prompt patching of these vulnerabilities in version 2.6.4 is a crucial step in protecting WordPress sites using this plugin.

Advice for Users:

  • Immediate Action: Users should update to the patched version 2.6.4 immediately to mitigate the risks associated with these vulnerabilities.
  • Check for Signs of Vulnerability: Regularly review your site for unexpected changes or content, which may indicate exploitation.
  • Alternate Plugins: Although a patch is available, exploring alternative plugins offering similar functionality might be wise as a precautionary measure.
  • Stay Updated: Consistently updating your WordPress plugins is essential for maintaining a secure website environment.

Conclusion:

The quick response by the Jeg Elementor Kit development team to patch these vulnerabilities underscores the critical nature of maintaining up-to-date software on your WordPress site. Users are strongly encouraged to upgrade to version 2.6.4 or later to ensure their sites are protected against these and potential future vulnerabilities.

References:

Detailed Report:

In the digital age, where your website serves as the front door to your business, maintaining its security is paramount. The recent discovery of vulnerabilities within the widely-used Jeg Elementor Kit plugin for WordPress casts a spotlight on the ever-present cyber threats lurking in the digital landscape. With vulnerabilities designated as CVE-2024-1327 and CVE-2024-3162, the security of countless websites is at stake, underscoring the critical importance of timely updates and diligent website management.

About the Jeg Elementor Kit Plugin:

The Jeg Elementor Kit, crafted by jegtheme, is a pivotal tool in the WordPress ecosystem, boasting over 200,000 active installations. This plugin enhances website functionality, allowing for creative and dynamic content design. Despite its popularity and utility, the plugin became susceptible to Stored Cross-Site Scripting (XSS) attacks due to vulnerabilities in versions up to and including 2.6.3.

Vulnerability Details:

  • CVE-2024-1327: This vulnerability arises from insufficient input sanitization within the plugin's Image Box widget, enabling attackers with contributor-level access to inject malicious scripts.
  • CVE-2024-3162: Similarly, the Testimonial Widget Attributes were found to be vulnerable, allowing for the injection of harmful scripts by users with similar access levels. Both vulnerabilities pose significant risks to site integrity and user security, potentially leading to unauthorized data access and site defacement.

Risks and Potential Impacts:

The exploitation of these vulnerabilities can lead to severe consequences, including data breaches, loss of customer trust, and potential financial liabilities. For small business owners, the implications extend beyond mere technical setbacks, potentially harming the business's reputation and operational continuity.

Remediation Steps:

To mitigate these risks, users are urged to update the Jeg Elementor Kit plugin to the patched version 2.6.4 immediately. Additionally, regular monitoring for unusual site behavior and diligent updates of all WordPress components are essential practices to maintain site security.

Historical Context:

These are not the plugin's first vulnerabilities, with three previous issues reported since November 4, 2022. This history emphasizes the importance of ongoing vigilance and the need for a proactive approach to website security.

Conclusion:

The rapid response by the Jeg Elementor Kit's developers to address these vulnerabilities highlights the critical role of software updates in securing digital assets. For small business owners, who often juggle numerous responsibilities, understanding the importance of website security and implementing regular maintenance routines can be the key to safeguarding their online presence. In the vast and vulnerable digital landscape, staying informed and proactive is not just advisable—it's essential for the safety and success of your digital endeavors.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Jeg Elementor Kit Vulnerability – Multiple Stored Cross-Site Scripting Issues – CVE-2024-1327 & CVE-2024-3162 |WordPress Plugin Vulnerability Report FAQs

Leave a Comment