Premium Addons for Elementor Vulnerability – Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Animated Text Widget – CVE-2024-6495 | WordPress Plugin Vulnerability Report
Plugin Name: Premium Addons for Elementor
Key Information:
- Software Type: Plugin
- Software Slug: premium-addons-for-elementor
- Software Status: Active
- Software Author: leap13
- Software Downloads: 33,726,442
- Active Installs: 700,000
- Last Updated: July 27, 2024
- Patched Versions: 4.10.37
- Affected Versions: <= 4.10.36
Vulnerability Details:
- Name: Premium Addons for Elementor <= 4.10.36
- Type: Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Animated Text Widget
- CVE: CVE-2024-6495
- CVSS Score: 6.4
- Publicly Published: July 11, 2024
- Researcher: Webbernaut
- Description: The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Animated Text widget in all versions up to and including 4.10.36. This vulnerability is due to insufficient input sanitization and output escaping on user-supplied attributes. Authenticated attackers with contributor-level access and above can inject arbitrary web scripts into pages, which will execute whenever a user accesses an injected page.
Summary:
The Premium Addons for Elementor plugin for WordPress has a vulnerability in versions up to and including 4.10.36 that allows authenticated attackers with contributor-level access to inject arbitrary web scripts via the Animated Text widget. This vulnerability has been patched in version 4.10.37.
Detailed Overview:
The vulnerability was identified by researcher Webbernaut and involves a lack of proper input sanitization and output escaping in the Animated Text widget. This allows attackers with contributor-level access to inject malicious scripts into pages. When users access these pages, the scripts execute, leading to potential data theft, unauthorized actions, or other malicious activities. The severity of this vulnerability is indicated by a CVSS score of 6.4, highlighting the importance of addressing it promptly.
Advice for Users:
Immediate Action: Users should update the Premium Addons for Elementor plugin to version 4.10.37 or later to secure their sites from this vulnerability. Check for Signs of Vulnerability: Review your site's pages and logs for any unexpected script injections or unauthorized content changes, particularly in pages using the Animated Text widget. Alternate Plugins: While the issue has been patched, users might consider exploring other Elementor addons with robust security features as a precautionary measure. Stay Updated: Regularly updating all plugins and the WordPress core is essential to maintain site security and prevent vulnerabilities.
Conclusion:
The prompt response from the developers of Premium Addons for Elementor to patch this vulnerability underscores the importance of timely updates. Users are strongly encouraged to ensure they are running version 4.10.37 or later to protect their WordPress sites from potential exploits.
References:
Detailed Report:
Ensuring the security of your WordPress website is crucial, particularly when using popular plugins that enhance functionality. Recently, a significant vulnerability was discovered in the Premium Addons for Elementor plugin, affecting versions up to 4.10.36. This vulnerability, identified as CVE-2024-6495, allows authenticated attackers with contributor-level access to inject malicious scripts via the Animated Text widget, which can lead to stored DOM-based Cross-Site Scripting (XSS). Such vulnerabilities underscore the importance of keeping your website's plugins up to date to prevent potential security breaches and protect your data.
Details About the Plugin:
The Premium Addons for Elementor plugin, developed by leap13, is a widely-used tool designed to extend the capabilities of the Elementor page builder. With over 33 million downloads and 700,000 active installs, it offers a range of features to enhance website design and functionality. Despite its popularity, the recent discovery of a vulnerability highlights the need for regular updates and vigilant security practices.
Details About the Vulnerability:
The vulnerability in the Premium Addons for Elementor plugin, up to and including version 4.10.36, involves insufficient input sanitization and output escaping in the Animated Text widget. This flaw allows authenticated users with contributor-level access to inject arbitrary web scripts into pages. When these pages are accessed, the injected scripts execute, potentially leading to data theft, unauthorized actions, and other malicious activities. The vulnerability, discovered by researcher Webbernaut, was publicly disclosed on July 11, 2024, with a CVSS score of 6.4, indicating a significant risk level.
Risks and Potential Impacts of the Vulnerability:
The primary risk associated with this vulnerability is the execution of malicious scripts when users access pages containing the Animated Text widget. This can lead to unauthorized data access, data theft, and other malicious actions that compromise the integrity and security of the website. The ability for contributors to inject scripts increases the potential for internal threats, making it essential to address this issue promptly.
How to Remediate the Vulnerability:
To mitigate the risks posed by this vulnerability, users must update the Premium Addons for Elementor plugin to version 4.10.37 or later, where the issue has been patched. It is also advisable to review site content and access logs for any signs of unauthorized script injections or content changes, particularly in pages using the Animated Text widget. For those seeking additional security, exploring alternative Elementor addons with robust security features may be beneficial.
Overview of Previous Vulnerabilities:
Since April 13, 2021, the Premium Addons for Elementor plugin has had 24 previous vulnerabilities reported. This history emphasizes the ongoing need for vigilance and the importance of timely updates to protect against new and emerging threats.
Conclusion:
For small business owners managing a WordPress website, staying on top of security vulnerabilities can be challenging but is vital for protecting your site and data. Regular updates, security audits, and professional assistance when needed are essential practices to ensure the security of your online presence. By prioritizing these measures, you can safeguard your website, maintain user trust, and prevent potential security breaches.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.