Royal Elementor Addons and Templates Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Form Builder Widget – CVE-2024-3887 | WordPress Plugin Vulnerability Report

Plugin Name: Royal Elementor Addons and Templates

Key Information:

  • Software Type: Plugin
  • Software Slug: royal-elementor-addons
  • Software Status: Active
  • Software Author: wproyal
  • Software Downloads: 5,453,490
  • Active Installs: 300,000
  • Last Updated: May 15, 2024
  • Patched Versions: 1.3.975
  • Affected Versions: <= 1.3.974

Vulnerability Details:

  • Name: Royal Elementor Addons and Templates <= 1.3.974 - Authenticated (Contributor+) Stored Cross-Site Scripting via Form Builder Widget
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2024-3887
  • CVSS Score: 5.4 (Medium)
  • Publicly Published: May 15, 2024
  • Researcher: Tim Coen and Ngô Thiên An
  • Description: The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Form Builder widget in all versions up to, and including, 1.3.974 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Summary:

The Royal Elementor Addons and Templates plugin for WordPress has a vulnerability in versions up to and including 1.3.974 that allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts via the Form Builder widget due to insufficient input sanitization and output escaping. This vulnerability has been patched in version 1.3.975.

Detailed Overview:

Researchers Tim Coen and Ngô Thiên An discovered a stored cross-site scripting (XSS) vulnerability in the Royal Elementor Addons and Templates plugin for WordPress. The vulnerability exists in the Form Builder widget and is caused by insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts into pages, which will execute whenever a user accesses an injected page. The vulnerability poses a risk of unauthorized access, data theft, and other malicious activities.

Advice for Users:

  1. Immediate Action: Users should update the Royal Elementor Addons and Templates plugin to version 1.3.975 or later to patch this vulnerability.
  2. Check for Signs of Vulnerability: Review your site's pages, especially those containing forms created with the Form Builder widget, for any suspicious scripts or unauthorized modifications.
  3. Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
  4. Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.

The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 1.3.975 or later to secure their WordPress installations.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/royal-elementor-addons

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/royal-elementor-addons/royal-elementor-addons-and-templates-13974-authenticated-contributor-stored-cross-site-scripting-via-form-builder-widget

Detailed Report:

As a website owner, you know that keeping your site secure is of utmost importance. You invest time and resources into creating valuable content, building your brand, and engaging with your audience. However, a single vulnerability in your website's plugins can put all of that hard work at risk. In this blog post, we'll discuss a recently discovered vulnerability in the popular Royal Elementor Addons and Templates plugin for WordPress and why it's crucial to keep your plugins up to date.

The Vulnerable Plugin: Royal Elementor Addons and Templates

The Royal Elementor Addons and Templates plugin is a popular WordPress plugin that enhances the functionality of the Elementor page builder. It has been downloaded over 5,453,490 times and is currently active on more than 300,000 websites. The plugin was last updated on May 15, 2024.

The Vulnerability: Authenticated (Contributor+) Stored Cross-Site Scripting via Form Builder Widget

Researchers Tim Coen and Ngô Thiên An discovered a stored cross-site scripting (XSS) vulnerability in the Royal Elementor Addons and Templates plugin. The vulnerability, identified as CVE-2024-3887, exists in the Form Builder widget and is caused by insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts into pages, which will execute whenever a user accesses an injected page.

Risks and Potential Impacts

If your website is running a version of the Royal Elementor Addons and Templates plugin lower than 1.3.975, you are at risk. Attackers can exploit this vulnerability to compromise your website, steal sensitive information, or even use your site to distribute malware to your unsuspecting visitors. This not only puts your website and data at risk but also jeopardizes your reputation and the trust your users place in you.

How to Remediate the Vulnerability

To protect your website from this vulnerability, follow these steps:

  1. Immediate Action: Update the Royal Elementor Addons and Templates plugin to version 1.3.975 or later to patch this vulnerability.
  2. Check for Signs of Vulnerability: Review your site's pages, especially those containing forms created with the Form Builder widget, for any suspicious scripts or unauthorized modifications.
  3. Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
  4. Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.

Previous Vulnerabilities in Royal Elementor Addons and Templates

It's important to note that this is not the first vulnerability discovered in the Royal Elementor Addons and Templates plugin. Since March 2022, there have been 36 previous vulnerabilities reported. This highlights the importance of staying vigilant and keeping your plugins updated regularly.

The Importance of Staying on Top of Security Vulnerabilities

As a small business owner, managing a website can be overwhelming, and staying on top of security updates may not always be your top priority. However, neglecting these updates can put your website, your business, and your customers at risk. By regularly updating your plugins and staying informed about potential vulnerabilities, you can significantly reduce the risk of falling victim to cyber attacks.

If you're concerned about the security of your WordPress site or need assistance ensuring that your plugins are up to date, consider reaching out to a professional web development or security team. They can help you create a plan to keep your site secure and provide ongoing support to ensure that you're always protected against the latest threats.

As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.

Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.

Royal Elementor Addons and Templates Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Form Builder Widget – CVE-2024-3887 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment