Royal Elementor Addons and Templates Vulnerability – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Magazine Grid/Slider Widget – CVE-2024-5818 | WordPress Plugin Vulnerability Report
Plugin Name: Royal Elementor Addons and Templates
Key Information:
- Software Type: Plugin
- Software Slug: royal-elementor-addons
- Software Status: Active
- Software Author: wproyal
- Software Downloads: 6,367,071
- Active Installs: 400,000
- Last Updated: July 29, 2024
- Patched Versions: 1.3.981
- Affected Versions: <= 1.3.980
Vulnerability Details:
- Name: Royal Elementor Addons and Templates <= 1.3.980
- Type: Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Magazine Grid/Slider Widget
- CVE: CVE-2024-5818
- CVSS Score: 6.4
- Publicly Published: July 23, 2024
- Researcher: Webbernaut
- Description: The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored DOM-based Cross-Site Scripting via the plugin's Magazine Grid/Slider widget in all versions up to and including 1.3.980 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Summary:
The Royal Elementor Addons and Templates plugin for WordPress has a vulnerability in versions up to and including 1.3.980 that allows authenticated attackers with contributor-level access to inject arbitrary web scripts via the Magazine Grid/Slider widget. This vulnerability has been patched in version 1.3.981.
Detailed Overview:
The vulnerability was identified by researcher Webbernaut and involves a lack of proper input sanitization and output escaping in the Magazine Grid/Slider widget. This flaw allows attackers with contributor-level access to inject malicious scripts into pages. When users access these pages, the scripts execute, leading to potential data theft, unauthorized actions, or other malicious activities. The severity of this vulnerability is indicated by a CVSS score of 6.4, highlighting the importance of addressing it promptly.
Advice for Users:
Immediate Action: Users should update the Royal Elementor Addons and Templates plugin to version 1.3.981 or later to secure their sites from this vulnerability. Check for Signs of Vulnerability: Review your site's pages and logs for any unexpected script injections or unauthorized content changes, particularly in pages using the Magazine Grid/Slider widget. Alternate Plugins: While the issue has been patched, users might consider exploring other Elementor addons with robust security features as a precautionary measure. Stay Updated: Regularly updating all plugins and the WordPress core is essential to maintain site security and prevent vulnerabilities.
Conclusion:
The prompt response from the developers of Royal Elementor Addons and Templates to patch this vulnerability underscores the importance of timely updates. Users are strongly encouraged to ensure they are running version 1.3.981 or later to protect their WordPress sites from potential exploits.
References:
Detailed Report:
Ensuring the security of your WordPress website is crucial, especially when using popular plugins that enhance functionality. Recently, a significant vulnerability was discovered in the Royal Elementor Addons and Templates plugin, affecting versions up to 1.3.980. This vulnerability, identified as CVE-2024-5818, allows authenticated attackers with contributor-level access to inject malicious scripts via the Magazine Grid/Slider widget, leading to stored DOM-based cross-site scripting (XSS). Such vulnerabilities highlight the critical importance of keeping your website's plugins up to date to prevent potential security breaches and protect your data.
Details About the Plugin:
The Royal Elementor Addons and Templates plugin, developed by wproyal, is a widely-used tool designed to enhance the capabilities of the Elementor page builder. With over 6 million downloads and 400,000 active installs, it offers a range of features to improve site design and functionality. Despite its popularity, the recent discovery of a vulnerability underscores the necessity for regular updates and vigilant security practices.
Details About the Vulnerability:
The vulnerability in the Royal Elementor Addons and Templates plugin, up to and including version 1.3.980, involves insufficient input sanitization and output escaping. This flaw allows authenticated users with contributor-level access to inject arbitrary web scripts into pages. When these pages are accessed, the injected scripts execute, potentially leading to data theft, unauthorized actions, and other malicious activities. The vulnerability, discovered by researcher Webbernaut, was publicly disclosed on July 23, 2024, and has a CVSS score of 6.4, indicating a significant risk level.
Risks and Potential Impacts of the Vulnerability:
The primary risk associated with this vulnerability is the execution of malicious scripts when users access pages containing the injected content. This can lead to unauthorized data access, data theft, and other malicious actions that compromise the integrity and security of the website. The ability for contributors to inject scripts increases the potential for internal threats, making it essential to address this issue promptly.
How to Remediate the Vulnerability:
To mitigate the risks posed by this vulnerability, users must update the Royal Elementor Addons and Templates plugin to version 1.3.981 or later, where the issue has been patched. It is also advisable to review site content and access logs for any signs of unauthorized script injections or content changes. For those seeking additional security, exploring alternative plugins with robust security features may be beneficial.
Overview of Previous Vulnerabilities:
The Royal Elementor Addons and Templates plugin has a history of previous vulnerabilities, highlighting the ongoing need for vigilance and timely updates to protect against new and emerging threats. There have been 41 previous vulnerabilities reported since March 4, 2022, emphasizing the importance of regular maintenance and security checks.
Conclusion:
For small business owners managing a WordPress website, staying on top of security vulnerabilities can be challenging but is vital for protecting your site and data. Regular updates, security audits, and professional assistance when needed are essential practices to ensure the security of your online presence. By prioritizing these measures, you can safeguard your website, maintain user trust, and prevent potential security breaches.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.