The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonials Widget Settings – CVE-2024-5583 | WordPress Plugin Vulnerability Report

Plugin Name: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Key Information:

  • Software Type: Plugin
  • Software Slug: the-plus-addons-for-elementor-page-builder
  • Software Status: Active
  • Software Author: posimyththemes
  • Software Downloads: 2,615,839
  • Active Installs: 100,000
  • Last Updated: August 21, 2024
  • Patched Versions: 5.6.3
  • Affected Versions: <= 5.6.2

Vulnerability Details:

  • Name: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 5.6.2
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonials Widget Settings
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-5583
  • CVSS Score: 6.4
  • Publicly Published: August 21, 2024
  • Researcher: Ngô Thiên An (ancorn_) - VNPT-VCI
  • Description: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the carousel_direction parameter of the testimonials widget in all versions up to and including 5.6.2. This vulnerability is due to insufficient input sanitization and output escaping on user-supplied attributes, allowing authenticated attackers with contributor-level access and above to inject arbitrary web scripts into pages. These scripts can execute whenever a user accesses an injected page, potentially leading to unauthorized actions or data theft.

Summary:

The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress has a vulnerability in versions up to and including 5.6.2 that allows authenticated attackers with contributor-level access to inject arbitrary web scripts via Stored Cross-Site Scripting (XSS). This vulnerability has been patched in version 5.6.3.

Detailed Overview:

The vulnerability, identified by researcher Ngô Thiên An (ancorn_) from VNPT-VCI, poses a security risk to websites using the Plus Addons for Elementor plugin. This flaw is located in the testimonials widget, specifically within the carousel_direction parameter. Due to inadequate input sanitization and output escaping, an attacker with contributor-level access can exploit this vulnerability to inject malicious scripts into a page. These scripts will then execute whenever the page is accessed, leading to potential unauthorized actions such as data theft or further exploitation of the site. The vulnerability affects all versions of the plugin up to and including 5.6.2. Users are strongly advised to update to version 5.6.3 to secure their websites.

Advice for Users:

  • Immediate Action: Users should update to version 5.6.3 of the Plus Addons for Elementor plugin immediately to protect their sites from this vulnerability.
  • Check for Signs of Vulnerability: After updating, review your site for any unusual behavior or unauthorized script execution, particularly on pages where the testimonials widget is used.
  • Alternate Plugins: While the patch addresses this specific issue, users who are particularly concerned about security may consider exploring alternative Elementor addons that offer similar functionality but have a different security history.
  • Stay Updated: Regularly updating all plugins and themes is crucial for maintaining a secure WordPress site. Keeping your site up to date reduces the risk of vulnerabilities being exploited.

Conclusion:

The prompt response from the developers of the Plus Addons for Elementor plugin to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure they are running version 5.6.3 or later to secure their WordPress installations and protect their websites from potential security threats.

References:

Detailed Report: 

In today’s digital landscape, maintaining your WordPress website’s security is more crucial than ever. For small business owners and website administrators, keeping up with the latest updates and security patches can be daunting, especially when time and resources are limited. However, neglecting these updates can leave your site vulnerable to attacks, potentially leading to data breaches, loss of customer trust, and severe financial consequences. Recently, a significant security vulnerability was discovered in The Plus Addons for Elementor plugin, which is used by over 100,000 websites. This vulnerability, identified as CVE-2024-5583, allows authenticated attackers with contributor-level access to inject malicious scripts via the testimonials widget, posing a serious risk to your site’s security. If left unpatched, this flaw could enable unauthorized actions or data theft, compromising the integrity of your website. To protect your site, it’s essential to update to the latest version, 5.6.3, and take proactive steps to ensure your site’s security.

The Plus Addons for Elementor is a popular WordPress plugin that extends the functionality of the Elementor page builder with a variety of widgets, templates, and tools. It’s widely used by website designers and developers to enhance the appearance and performance of WordPress sites. However, like any software, it’s essential to keep it updated to protect against emerging security threats.

Risks and Potential Impacts: Why This Matters

This vulnerability poses a significant risk to any website using the affected versions of The Plus Addons for Elementor plugin. The potential impacts include:

  • Unauthorized Script Execution: Attackers could exploit this vulnerability to inject malicious scripts that execute when users visit the affected pages, leading to unauthorized actions or data breaches.
  • Data Theft: Malicious scripts could be used to steal sensitive information from your site, including user data and credentials.
  • Compromised User Trust: A security breach could erode the trust of your website’s users, potentially leading to a loss of customers and damage to your brand’s reputation.

How to Remediate the Vulnerability

Immediate Action: The most important step is to update your Plus Addons for Elementor plugin to version 5.6.3, where this vulnerability has been patched. Updating your plugin promptly will eliminate the risk of this specific vulnerability being exploited.

Check for Signs of Vulnerability: After updating, review your site for any unusual behavior or unauthorized script execution, particularly on pages where the testimonials widget is used. This can help you identify if your site was compromised before the update.

Consider Alternate Plugins: While the patch addresses this specific issue, you might want to explore alternative Elementor addons if you’re concerned about the plugin’s security history. Other addons might offer similar functionality with different security records.

Stay Updated: Regularly updating all plugins and themes is crucial for maintaining a secure WordPress site. Ensuring your site is up to date reduces the risk of vulnerabilities being exploited and ensures that you benefit from the latest security enhancements.

Overview of Previous Vulnerabilities

The Plus Addons for Elementor plugin has had 19 previous vulnerabilities reported since April 13, 2021. While each of these vulnerabilities has been addressed, this history underscores the importance of staying vigilant with updates and security practices. Regularly checking for and applying updates is essential to protect your site from both known and emerging threats.

Conclusion: The Importance of Staying on Top of Security Vulnerabilities

For small business owners, managing website security can seem overwhelming, especially when time and resources are limited. However, staying on top of security vulnerabilities is critical for protecting your business, your customers, and your reputation. By keeping your plugins updated, using trusted security tools, and staying informed about potential threats, you can significantly reduce the risk of a cyberattack. Remember, proactive security management is always better than reacting to a breach after it has occurred.

If you’re concerned about your website’s security or need assistance with updates, don’t hesitate to seek professional help. Your website is a vital asset—protect it with the attention it deserves.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonials Widget Settings – CVE-2024-5583 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment