The Plus Addons for Elementor Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-0445, CVE-2024-2785 | WordPress Plugin Vulnerability Report

Plugin Name: The Plus Addons for Elementor

Key Information:

  • Software Type: Plugin
  • Software Slug: the-plus-addons-for-elementor-page-builder
  • Software Status: Active
  • Software Author: posimyththemes
  • Software Downloads: 2,291,624
  • Active Installs: 100,000
  • Last Updated: May 6, 2024
  • Patched Versions: 5.5.0
  • Affected Versions: <= 5.4.2

Vulnerability Details:

  • Name: The Plus Addons for Elementor <= 5.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2024-0445, CVE-2024-2785
  • CVSS Score: 6.4 (Medium)
  • Publicly Published: May 6, 2024
  • Researcher: Webbernaut, Phuoc Pham
  • Description: The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's element attributes and the Age Gate widget in all versions up to, and including, 5.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Summary:

The The Plus Addons for Elementor plugin for WordPress has vulnerabilities in versions up to and including 5.4.2 that allow authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages via the plugin's element attributes and the Age Gate widget. These vulnerabilities have been patched in version 5.5.0.

Detailed Overview:

Researchers Webbernaut and Phuoc Pham discovered Stored Cross-Site Scripting vulnerabilities in The Plus Addons for Elementor plugin. The vulnerabilities are due to insufficient input sanitization and output escaping in the plugin's element attributes and the Age Gate widget. Attackers with contributor-level access or higher can exploit these vulnerabilities to inject malicious scripts that execute whenever a user accesses an affected page, potentially leading to a range of attacks such as stealing user session tokens, performing unauthorized actions, or redirecting users to malicious sites. The vulnerabilities have been assigned CVE-2024-0445 and CVE-2024-2785, with a CVSS score of 6.4, indicating a medium severity level.

Advice for Users:

  1. Immediate Action: Update to version 5.5.0 or later to ensure your site is protected against these vulnerabilities.
  2. Check for Signs of Vulnerability: Review your site for any suspicious or unauthorized modifications, especially in pages containing The Plus Addons for Elementor elements or the Age Gate widget.
  3. Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
  4. Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.

The prompt response from the plugin developers to patch these vulnerabilities underscores the importance of timely updates. Users are advised to ensure that they are running version 5.5.0 or later to secure their WordPress installations.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/the-plus-addons-for-elementor-page-builder

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/the-plus-addons-for-elementor-page-builder/the-plus-addons-for-elementor-542-authenticated-contributor-stored-cross-site-scripting

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/the-plus-addons-for-elementor-page-builder/the-plus-addons-for-elementor-542-authenticated-contributor-stored-cross-site-scripting-via-age-gate

Detailed Report:

In the ever-evolving world of web security, staying vigilant and keeping your WordPress site up to date is crucial. Recently, a concerning vulnerability was discovered in The Plus Addons for Elementor, a popular WordPress plugin used by thousands of websites. This vulnerability highlights the importance of regularly updating your plugins and taking proactive steps to ensure your site's security.

Plugin Details:

The Plus Addons for Elementor is an active WordPress plugin with over 100,000 installations. It is designed to extend the functionality of the Elementor page builder, offering additional widgets and features to enhance the user experience. The plugin is developed by posimyththemes and has been downloaded over 2.2 million times.

Vulnerability Details:

Researchers Webbernaut and Phuoc Pham discovered Stored Cross-Site Scripting (XSS) vulnerabilities in The Plus Addons for Elementor plugin, affecting versions up to and including 5.4.2. The vulnerabilities, assigned CVE-2024-0445 and CVE-2024-2785, are due to insufficient input sanitization and output escaping in the plugin's element attributes and the Age Gate widget. Attackers with contributor-level access or higher can exploit these vulnerabilities to inject malicious scripts that execute whenever a user accesses an affected page.

Risks and Potential Impacts:

Exploiting the XSS vulnerabilities in The Plus Addons for Elementor plugin can lead to a range of severe consequences for your website and its users. Attackers can steal user session tokens, perform unauthorized actions, or redirect users to malicious sites. This can result in compromised user accounts, sensitive data exposure, and damage to your website's reputation. Small business owners must be aware of these risks, as a compromised website can lead to loss of customer trust and potential financial losses.

Vulnerability Remediation:

To protect your WordPress site from the vulnerabilities in The Plus Addons for Elementor plugin, it is crucial to update to version 5.5.0 or later immediately. This update patches the vulnerabilities and ensures your site is secure. Additionally, review your site for any suspicious or unauthorized modifications, especially in pages containing The Plus Addons for Elementor elements or the Age Gate widget. If you are unsure about updating your plugins or need assistance with your website's security, consider reaching out to a professional web development or security team for support.

Previous Vulnerabilities:

It is worth noting that The Plus Addons for Elementor plugin has had a history of vulnerabilities. Since April 2021, there have been nine reported vulnerabilities in the plugin. This underscores the importance of regularly monitoring your plugins for updates and staying informed about potential security risks.

Conclusion:

As a small business owner, keeping your WordPress site secure should be a top priority. Vulnerabilities like those found in The Plus Addons for Elementor plugin can put your website and users at risk, leading to potential financial losses and damage to your reputation. By staying proactive, regularly updating your plugins, and seeking professional assistance when needed, you can significantly reduce the risk of falling victim to security threats. Remember, investing time and resources into your website's security is crucial for the long-term success and stability of your online presence.

Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.

Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.

The Plus Addons for Elementor Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-0445, CVE-2024-2785 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment