Premium Addons for Elementor Vulnerability – Missing Authorization to Authenticated (Contributor+) Arbitrary Content Deletion and Arbitrary Title Update – CVE-2024-6824 | WordPress Plugin Vulnerability Report

Plugin Name: Premium Addons for Elementor

Key Information:

  • Software Type: Plugin
  • Software Slug: premium-addons-for-elementor
  • Software Status: Active
  • Software Author: leap13
  • Software Downloads: 34,020,583
  • Active Installs: 700,000
  • Last Updated: August 12, 2024
  • Patched Versions: 4.10.39
  • Affected Versions: <= 4.10.38

Vulnerability Details:

  • Name: Premium Addons for Elementor <= 4.10.38
  • Title: Missing Authorization to Authenticated (Contributor+) Arbitrary Content Deletion and Arbitrary Title Update
  • Type: Missing Authorization
  • CVE: CVE-2024-6824
  • CVSS Score: 4.3
  • Publicly Published: August 7, 2024
  • Researcher: stealthcopter
  • Description: The Premium Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'check_temp_validity' and 'update_template_title' functions in all versions up to, and including, 4.10.38. This vulnerability allows authenticated attackers with Contributor-level access and above to delete arbitrary content and update post and page titles without proper authorization.

Summary:

The Premium Addons for Elementor plugin for WordPress has a vulnerability in versions up to and including 4.10.38 that allows authenticated (Contributor+) users to delete arbitrary content and update post and page titles without proper authorization. This vulnerability has been patched in version 4.10.39.

Detailed Overview:

Premium Addons for Elementor is a popular WordPress plugin that enhances the Elementor page builder with additional widgets and design elements. However, a vulnerability was discovered in the plugin, identified as CVE-2024-6824, which poses a security risk. The vulnerability stems from a missing capability check on the 'check_temp_validity' and 'update_template_title' functions, allowing authenticated users with Contributor-level access to delete arbitrary content and modify post and page titles. This flaw could lead to unauthorized content deletion or alteration, potentially disrupting the website’s content integrity and user experience.

Discovered by security researcher stealthcopter, the vulnerability was publicly disclosed on August 7, 2024. It affects all versions of the Premium Addons for Elementor plugin up to and including 4.10.38. In response, the developers at leap13 released a patched version, 4.10.39, on August 12, 2024, to address the issue.

Advice for Users:

Immediate Action: Users are strongly encouraged to update to version 4.10.39 immediately to prevent unauthorized content deletion and title updates.
Check for Signs of Vulnerability: Users should review their site’s content and page titles to ensure no unauthorized changes have occurred, particularly if Contributor-level users have access to the site.
Alternate Plugins: While a patch is available, users might consider exploring alternative plugins that offer similar functionality as an extra precaution.
Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities and maintain the integrity of your website.

Conclusion:

The prompt response from the Premium Addons for Elementor development team to patch this vulnerability highlights the importance of timely updates. Users are advised to ensure that they are running version 4.10.39 or later to secure their WordPress installations. For small business owners, staying on top of security vulnerabilities might seem overwhelming, but it is essential for protecting your online presence. Regular maintenance, including updates and vulnerability checks, is key to safeguarding your site against potential threats. If you need assistance or have concerns about your website's security, don’t hesitate to seek professional help. Staying informed and proactive is key to maintaining a secure and trustworthy website.

References:

Detailed Report:

Maintaining the security of your WordPress website is essential, especially with the growing number of vulnerabilities that can put your online presence at risk. One critical aspect of site security is ensuring that all plugins are regularly updated to prevent exploitation by malicious actors. Recently, a significant vulnerability was identified in the Premium Addons for Elementor plugin, a widely-used tool that enhances the Elementor page builder with additional widgets and design elements. This vulnerability, known as CVE-2024-6824, poses a serious risk by allowing attackers with Contributor-level access to delete arbitrary content and modify post and page titles without proper authorization. If left unaddressed, this could lead to unauthorized changes, disrupting your website’s content integrity and user experience.

Summary:

The Premium Addons for Elementor plugin for WordPress has a vulnerability in versions up to and including 4.10.38 that allows authenticated (Contributor+) users to delete arbitrary content and update post and page titles without proper authorization. This vulnerability has been patched in version 4.10.39.

Detailed Overview:

Premium Addons for Elementor is a popular WordPress plugin that enhances the Elementor page builder by adding a wide range of widgets and design elements, making it a go-to tool for many website owners. However, a serious vulnerability was recently discovered, identified as CVE-2024-6824. The vulnerability, discovered by security researcher stealthcopter, results from a missing capability check on critical functions such as 'check_temp_validity' and 'update_template_title'. This flaw allows authenticated users with Contributor-level access to delete content and modify post and page titles without the necessary permissions. Such unauthorized actions could significantly disrupt the website’s content integrity, leading to potential data loss and a compromised user experience.

The vulnerability has a CVSS score of 4.3, indicating a moderate risk. The issue was publicly disclosed on August 7, 2024, and affects all versions of the Premium Addons for Elementor plugin up to and including 4.10.38. In response to the discovery, the plugin developers at leap13 acted quickly, releasing a patched version, 4.10.39, on August 12, 2024, to resolve the issue and protect users from potential exploitation.

Risks and Potential Impacts:

This vulnerability poses a significant risk to websites using the Premium Addons for Elementor plugin, especially those that allow Contributor-level access to users. If exploited, the vulnerability could lead to unauthorized content deletion and modifications to post and page titles. This could result in data loss, altered content, and a compromised user experience, which could damage the site’s reputation and functionality.

Remediation:

To protect your site, it is imperative to update the Premium Addons for Elementor plugin to the latest version, 4.10.39, immediately. This update addresses the vulnerability and prevents unauthorized content deletion and title updates. Additionally, site owners should review their website’s content and page titles to ensure no unauthorized changes have occurred, particularly if Contributor-level users have access. While the patch resolves this specific issue, regularly updating all plugins and performing security audits are essential practices for maintaining a secure WordPress site.

Overview of Previous Vulnerabilities:

Since April 13, 2021, the Premium Addons for Elementor plugin has had 26 previous vulnerabilities reported. This history highlights the importance of regular updates and proactive security measures to protect your website from emerging threats. Although the plugin’s developers have been responsive in addressing these issues, the need for ongoing vigilance remains critical.

Conclusion:

The prompt response from the Premium Addons for Elementor development team to patch this vulnerability underscores the importance of timely updates. For small business owners, staying on top of security vulnerabilities might seem overwhelming, but it is essential for protecting your online presence. Regular maintenance, including updates and vulnerability checks, is crucial in safeguarding your site against potential threats. If you need assistance or have concerns about your website's security, don’t hesitate to seek professional help. Staying informed and proactive is key to maintaining a secure and trustworthy website.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Premium Addons for Elementor Vulnerability – Missing Authorization to Authenticated (Contributor+) Arbitrary Content Deletion and Arbitrary Title Update – CVE-2024-6824 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment