PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-1055 | WordPress Plugin Vulnerability Report
Plugin Name: PowerPack Addons for Elementor (Free Widgets, Extensions and Templates)
Key Information:
- Software Type: Plugin
- Software Slug: powerpack-lite-for-elementor
- Software Status: Active
- Software Author: ideaboxcreations
- Software Downloads: 2,129,545
- Active Installs: 100,000
- Last Updated: February 13, 2024
- Patched Versions: 2.7.15
- Affected Versions: <= 2.7.14
Vulnerability Details:
- Name: PowerPack Addons for Elementor <= 2.7.14
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- CVE: CVE-2024-1055
- CVSS Score: 5.4
- Publicly Published: February 6, 2024
- Researcher: Webbernaut
- Description: The PowerPack Addons for Elementor plugin, a versatile tool for enhancing Elementor with additional widgets, extensions, and templates, contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to 2.7.14. This issue arises from insufficient input sanitization and output escaping on user-supplied URL values within the plugin's buttons, enabling attackers with at least contributor-level access to embed malicious scripts into web pages.
Summary:
The PowerPack Addons for Elementor plugin, widely used by WordPress users to expand the capabilities of the Elementor page builder, has been identified with a critical security vulnerability in versions up to 2.7.14. This Stored Cross-Site Scripting vulnerability, effectively addressed in the patch released as version 2.7.15, underscores the importance of vigilance in plugin maintenance to ensure website security.
Detailed Overview:
Discovered by the security researcher Webbernaut, this vulnerability highlights the potential risks associated with insufficient data validation practices in plugin development. The ability for authenticated users to inject arbitrary scripts poses significant security threats, including unauthorized access to sensitive information and manipulation of web page content. The swift response with a patch in version 2.7.15 demonstrates the critical nature of the vulnerability and the necessity for immediate updates.
Advice for Users:
- Immediate Action: Users are urged to update the PowerPack Addons for Elementor plugin to the latest patched version, 2.7.15, to mitigate the vulnerability and secure their websites.
- Check for Signs of Vulnerability: Website administrators should monitor for unusual site behavior or unauthorized content changes as indicators of potential exploitation.
- Alternate Plugins: While the current patched version is secure, users may explore alternative plugins for Elementor enhancements as part of a diversified security strategy.
- Stay Updated: Consistently updating all WordPress plugins and themes is essential in safeguarding against known vulnerabilities and maintaining a secure online presence.
Conclusion:
The resolution of the Stored Cross-Site Scripting vulnerability in the PowerPack Addons for Elementor plugin serves as a crucial reminder of the ongoing need for diligence in the digital security landscape. WordPress site owners, particularly those with limited time for site maintenance, are encouraged to prioritize plugin updates and adhere to security best practices. This incident highlights the importance of proactive security measures and the collective responsibility of the WordPress community in maintaining a secure and trustworthy platform for all users.
References:
- Wordfence Vulnerability Report on PowerPack Addons for Elementor 2.7.14
- Wordfence Vulnerability Overview for PowerPack Lite for Elementor