Premium Addons for Elementor Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-4203 | WordPress Plugin Vulnerability Report

Plugin Name: Premium Addons for Elementor

Key Information:

  • Software Type: Plugin
  • Software Slug: premium-addons-for-elementor
  • Software Status: Active
  • Software Author: leap13
  • Software Downloads: 31,890,759
  • Active Installs: 700,000
  • Last Updated: May 13, 2024
  • Patched Versions: 4.10.31
  • Affected Versions: <= 4.10.30

Vulnerability Details:

  • Name: Premium Addons for Elementor <= 4.10.30
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-4203
  • CVSS Score: 5.4
  • Publicly Published: April 29, 2024
  • Researcher: Ngô Thiên An (ancorn_) - VNPT-VCI
  • Description: The Premium Addons Pro for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the maps widget in all versions up to, and including, 4.10.30. This vulnerability arises due to insufficient input sanitization and output escaping on user-supplied attributes, allowing authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability specifically affects sites running the premium version of the plugin.

Summary:

The Premium Addons for Elementor plugin for WordPress has a vulnerability in versions up to and including 4.10.30 that allows authenticated contributors to inject malicious scripts via the maps widget. This vulnerability has been patched in version 4.10.31.

Detailed Overview:

The vulnerability discovered in the Premium Addons for Elementor, identified by Ngô Thiên An of VNPT-VCI, presents a significant security risk particularly through its maps widget. Stored Cross-Site Scripting vulnerabilities like this allow attackers with at least contributor-level privileges to store harmful scripts on a website, which are then executed when other users access the affected pages. Such vulnerabilities can lead to unauthorized access, data theft, and potentially severe breaches in website integrity. Thankfully, this issue has been addressed in the recently released patch, version 4.10.31, which ensures that user inputs are properly sanitized and escaped to prevent further exploitation.

Advice for Users:

  • Immediate Action: Update to version 4.10.31 immediately to mitigate the vulnerability.
  • Check for Signs of Vulnerability: Administrators should scan their sites for unexpected scripts or unusual user-generated content that could indicate exploitation.
  • Alternate Plugins: While the patch corrects this specific issue, users may wish to explore alternative plugins that offer similar functionality as an additional precaution.
  • Stay Updated: Maintaining plugins and all software at the latest versions is crucial to protecting against vulnerabilities.

Conclusion:

The quick response by the developers of Premium Addons for Elementor to patch the vulnerability underscores the importance of timely updates. Website administrators are strongly advised to ensure they have updated to version 4.10.31 or later, as staying current with software versions is key to securing WordPress installations against potential threats.

References:

Detailed Report: 

Navigating Web Security: The Importance of Regular Plugin Updates

In today’s digital landscape, WordPress powers a significant portion of the web, underscoring its popularity among site owners ranging from small businesses to large enterprises. This widespread use also brings with it an inherent risk—vulnerabilities in widely-used plugins can expose a vast number of websites to potential threats. A recent example is a serious security flaw discovered in the Premium Addons for Elementor plugin, a tool that enhances the capabilities of one of the most popular WordPress builders, Elementor.

Plugin Details and Vulnerability Insights:

The Premium Addons for Elementor plugin, which boasts over 31 million downloads and is active on 700,000 sites, is an integral component for many WordPress users. Developed by leap13, this plugin recently encountered a critical issue in versions up to and including 4.10.30. Researcher Ngô Thiên An from VNPT-VCI uncovered a Stored Cross-Site Scripting (XSS) vulnerability affecting the maps widget of the plugin. This flaw, identified under CVE-2024-4203 with a CVSS score of 5.4, allows authenticated users with at least contributor privileges to inject malicious scripts into web pages.

Risks and Potential Impacts:

The implications of this vulnerability are severe, with potential risks including unauthorized data access, session hijacking, and the compromise of sensitive user information. Given the plugin's functionality and its widespread use, the impact can extend across thousands of sites, potentially affecting millions of users.

Steps for Remediation:

To address this vulnerability, the developers have released a patched version, 4.10.31, which all users are urged to install immediately. Website owners should also review their site for signs of exploitation, such as unexpected content modifications or unfamiliar scripts in the page source. As an additional precaution, exploring alternative plugins with similar functionalities that maintain a strong security track record can also be wise.

Historical Vulnerabilities:

This is not the first challenge for the Premium Addons for Elementor plugin—it has had 16 documented vulnerabilities since April 13, 2021. This history underscores the critical need for regular updates and active management of security practices.

Conclusion:

The rapid resolution of this vulnerability by the plugin developers highlights the ongoing battle between maintaining functionality and ensuring security in the digital tools we rely on. For small business owners, the task of keeping a website secure can seem daunting. Implementing automated updates, subscribing to security blogs or newsletters, and using managed WordPress hosting services can greatly reduce the burden. The safety of your digital presence is as crucial as the physical security of your store or office—neglecting it can have dire consequences.

By staying proactive about updates and informed about potential vulnerabilities, you can significantly mitigate risks and safeguard your business's online operations.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Premium Addons for Elementor Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-4203 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment