Question 1

What is the vulnerability in the Elementor Addon Elements plugin?

Accepted Answer

What is the vulnerability in the Elementor Addon Elements plugin?

The vulnerability in the Elementor Addon Elements plugin allows Contributor-level users to inject malicious scripts into your website through improper input sanitization. The affected parameters, such as id and eae_slider_animation, allow these users to manipulate pages, and the scripts will execute when viewed by other users. These vulnerabilities are known as Stored Cross-Site Scripting (XSS) attacks, which can lead to data theft or unauthorized site actions.

Question 2

How serious is the Elementor Addon Elements vulnerability?

Accepted Answer

How serious is the Elementor Addon Elements vulnerability?

The vulnerabilities have a CVSS score of 6.4, which indicates a moderate level of risk. Although they do not allow for full site control, they still enable malicious script injections that can compromise site security. If left unpatched, these flaws can lead to data breaches, unauthorized changes to the site, or further exploitation through malicious code.

Question 3

How can I fix the vulnerabilities in the Elementor Addon Elements plugin?

Accepted Answer

How can I fix the vulnerabilities in the Elementor Addon Elements plugin?

The vulnerabilities can be resolved by updating the plugin to versions 1.13.6 or 1.13.7. These versions fix the issues related to input sanitization and output escaping, preventing Contributor-level users from injecting harmful scripts. Updating the plugin immediately is crucial to securing your website against potential exploitation.

Question 4

What are the risks if I don’t update the Elementor Addon Elements plugin?

Accepted Answer

What are the risks if I don’t update the Elementor Addon Elements plugin?

If you don’t update the plugin, your site remains vulnerable to Stored XSS attacks, where malicious scripts can be injected and executed. These scripts could steal user data, compromise your site's integrity, or enable further unauthorized actions. Over time, this could lead to more severe damage if attackers take advantage of these flaws.

Question 5

Who can exploit this vulnerability?

Accepted Answer

Who can exploit this vulnerability?

This vulnerability can be exploited by Contributor-level users or anyone with higher access privileges. These roles typically have limited permissions, but due to the improper sanitization in the plugin, they are able to inject harmful scripts into pages. This vulnerability does not affect unauthenticated users or those with lower access roles like subscribers.

Question 6

How can I check if my site has been affected?

Accepted Answer

How can I check if my site has been affected?

To check if your site has been affected, review your access logs for any unusual activity, particularly from Contributor-level users. Look for unauthorized script injections or unusual changes to your website's pages. If you notice any suspicious behavior, it could indicate that your site has been compromised by this vulnerability.

Question 7

What should I do if my site has been compromised?

Accepted Answer

What should I do if my site has been compromised?

If your site has been compromised, update the Elementor Addon Elements plugin to the latest version immediately. Review your site for any injected malicious scripts and remove them as necessary. It’s also a good idea to change admin passwords and monitor your site for further suspicious activity.

Question 8

Is the Elementor Addon Elements plugin safe to use after the update?

Accepted Answer

Is the Elementor Addon Elements plugin safe to use after the update?

Yes, after updating to versions 1.13.6 or 1.13.7, the vulnerabilities are patched, and the plugin is safe to use. The update ensures that Contributor-level users can no longer inject malicious scripts into your site. Keeping the plugin updated will help prevent future security risks.

Question 9

Are there alternative plugins to Elementor Addon Elements?

Accepted Answer

Are there alternative plugins to Elementor Addon Elements?

There are several alternatives to the Elementor Addon Elements plugin, such as Essential Addons for Elementor or Premium Addons for Elementor, which offer similar functionality. However, once updated, Elementor Addon Elements is a reliable and secure option for users. It’s essential to keep whichever plugin you choose updated regularly to avoid potential vulnerabilities.

Question 10

Why is it important to keep WordPress plugins updated?

Accepted Answer

Why is it important to keep WordPress plugins updated?

Keeping WordPress plugins updated is vital because updates often include security patches that fix known vulnerabilities. Failing to update plugins can leave your site open to attacks like the Stored XSS vulnerability in Elementor Addon Elements. Regular updates ensure that your site stays secure and functions optimally, protecting your business and user data from threats.

XSS vulnerability

Elementor Addon Elements Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Parameters – CVE-2024-4401, CVE-2024-7122 | WordPress Plugin Vulnerability Report

Beaver Builder – WordPress Page Builder Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via type Parameter – CVE-2024-7895 | WordPress Plugin Vulnerability Report

Jeg Elementor Kit Vulnerability – Authenticated (Author+) Stored Cross-Site Scripting via SVG File – CVE-2024-6804 | WordPress Plugin Vulnerability Report

The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonials Widget Settings – CVE-2024-5583 | WordPress Plugin Vulnerability Report

Piotnet Addons For Elementor Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets – CVE-2024-5502 | WordPress Plugin Vulnerability Report

Redux Framework Vulnerability – Unauthenticated JSON File Upload to Stored Cross-Site Scripting – CVE-2024-6828 | WordPress Plugin Vulnerability Report

SiteOrigin Widgets Bundle Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via SiteOrigin Blog Widget – CVE-2024-5090 | WordPress Plugin Vulnerability Report

WooCommerce Vulnerability – Reflected Cross-Site Scripting via Order Attribution – CVE-2024-37297 | WordPress Plugin Vulnerability Report

Photo Gallery by 10Web – Mobile-Friendly Image Gallery Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Zipped SVG & Path Traversal via esc_dir Function – CVE-2024-5426, CVE-2024-5481 | WordPress Plugin Vulnerability Report

WP Mobile Menu – The Mobile-Friendly Responsive Menu Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Image Alt – CVE-2024-3987 | WordPress Plugin Vulnerability Report

Recent Blog Posts

LiteSpeed Cache Vulnerability – Unauthenticated Sensitive Information Exposure via Log Files – CVE-2024-44000 | WordPress Plugin Vulnerability Report

Elementor Addon Elements Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Parameters – CVE-2024-4401, CVE-2024-7122 | WordPress Plugin Vulnerability Report

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid Vulnerability – Authenticated (Contributor+) Information Disclosure – CVE-2024-7418 | WordPress Plugin Vulnerability Report

Additional Resources

About Your WP Guy