Piotnet Addons For Elementor Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets – CVE-2024-5502 | WordPress Plugin Vulnerability Report
Plugin Name: Piotnet Addons For Elementor
Key Information:
- Software Type: Plugin
- Software Slug: piotnet-addons-for-elementor
- Software Status: Active
- Software Author: piotnetdotcom
- Software Downloads: 565,317
- Active Installs: 40,000
- Last Updated: August 23, 2024
- Patched Versions: 2.4.31
- Affected Versions: <= 2.4.30
Vulnerability Details:
- Name: Piotnet Addons For Elementor <= 2.4.30
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-5502
- CVSS Score: 6.4
- Publicly Published: August 22, 2024
- Researcher: Webbernaut
- Description: The Piotnet Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the plugin's Image Accordion, Dual Heading, and Vertical Timeline widgets in all versions up to and including 2.4.30. This vulnerability arises due to insufficient input sanitization and output escaping on user-supplied attributes, allowing authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts execute whenever a user accesses the affected page, potentially leading to unauthorized actions or data theft.
Summary:
The Piotnet Addons For Elementor plugin for WordPress has a vulnerability in versions up to and including 2.4.30 that allows authenticated attackers with contributor-level access to inject arbitrary web scripts via Stored Cross-Site Scripting (XSS). This vulnerability has been patched in version 2.4.31.
Detailed Overview:
The vulnerability, identified by researcher Webbernaut, exposes WordPress websites using the Piotnet Addons For Elementor plugin to potential Stored Cross-Site Scripting (XSS) attacks. This flaw is present in multiple widgets, including the Image Accordion, Dual Heading, and Vertical Timeline widgets. Due to inadequate input sanitization and output escaping, an attacker with contributor-level access can exploit this vulnerability to inject malicious scripts into a page. These scripts can execute whenever a user accesses the affected page, posing risks such as unauthorized actions, data theft, or further exploitation of the site. The vulnerability affects all versions of the plugin up to and including 2.4.30. Users are strongly advised to update to version 2.4.31 to secure their websites.
Advice for Users:
- Immediate Action: Users should update to version 2.4.31 of the Piotnet Addons For Elementor plugin immediately to protect their sites from this vulnerability.
- Check for Signs of Vulnerability: After updating, review your site for any unusual behavior or unauthorized script execution, particularly on pages using the Image Accordion, Dual Heading, or Vertical Timeline widgets.
- Alternate Plugins: While the patch addresses this specific issue, users who are particularly concerned about security may consider exploring alternative Elementor addons that offer similar functionality but have a different security history.
- Stay Updated: Regularly updating all plugins and themes is crucial for maintaining a secure WordPress site. Keeping your site up to date reduces the risk of vulnerabilities being exploited.
Conclusion:
The prompt response from the developers of the Piotnet Addons For Elementor plugin to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure they are running version 2.4.31 or later to secure their WordPress installations and protect their websites from potential security threats.
References:
- Wordfence Threat Intelligence - Piotnet Addons For Elementor Vulnerability
- Wordfence Vulnerability Details