The Plus Addons for Elementor Vulnerability – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce – Authenticated Stored Cross-Site Scripting – CVE-2024-3197, CVE-2024-3199 | WordPress Plugin Vulnerability Report
Plugin Name: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Key Information:
- Software Type: Plugin
- Software Slug: the-plus-addons-for-elementor-page-builder
- Software Status: Active
- Software Author: posimyththemes
- Software Downloads: 2,244,805
- Active Installs: 100,000
- Last Updated: May 10, 2024
- Patched Versions: 5.5.0
- Affected Versions: <= 5.4.2
Vulnerability Details:
- Name: The Plus Addons for Elementor <= 5.4.2 - Custom Attributes
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Attributes
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-3197
- CVSS Score: 6.4
- Publicly Published: April 25, 2024
- Researcher: Tim Coen
- Description: Vulnerability in The Plus Addons for Elementor plugin allows authenticated users with contributor-level access to inject arbitrary web scripts via custom attributes in widgets, due to insufficient input sanitization and output escaping. These scripts can execute on a user’s device when accessing a compromised page.
- References: Wordfence - Custom Attributes XSS
- Name: The Plus Addons for Elementor <= 5.4.2 - Countdown Widget
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-3199
- CVSS Score: 6.4
- Publicly Published: April 25, 2024
- Researcher: Webbernaut
- Description: Similar to the previous vulnerability, this issue within the countdown widget allows authenticated users to exploit insufficient sanitization controls to inject harmful scripts, affecting users who view the affected pages.
- References: Wordfence - Countdown Widget XSS
Summary:
The Plus Addons for Elementor plugin for WordPress has vulnerabilities in versions up to and including 5.4.2 that allow for stored cross-site scripting via various widget attributes. These vulnerabilities have been patched in version 5.5.0.
Detailed Overview:
These vulnerabilities were identified in two separate components of The Plus Addons for Elementor plugin: custom attributes and the countdown widget. Both vulnerabilities are due to a lack of adequate input sanitization and output escaping, which could allow attackers to inject and execute arbitrary scripts. This could compromise user data and manipulate content without the user’s consent. The patches in version 5.5.0 address these security flaws by enhancing the input validation processes to prevent similar security risks in the future.
Advice for Users:
- Immediate Action: Update to version 5.5.0 immediately to close these vulnerabilities.
- Check for Signs of Vulnerability: Regularly audit your site’s plugins and check for updates or unusual behavior.
- Alternate Plugins: Consider exploring other robust Elementor add-ons that prioritize security, especially if your site handles sensitive information.
- Stay Updated: Always keep your plugins and WordPress core software up to date to protect against potential vulnerabilities.
Conclusion:
The prompt response by posimyththemes to patch these vulnerabilities in The Plus Addons for Elementor plugin highlights the ongoing need for vigilance in the maintenance of website security. Users should promptly update to version 5.5.0 to mitigate these risks and ensure their site remains secure against potential exploits.
References:
- Wordfence reports linked above.
Detailed Report:
In an era where the digital footprint of a business is as crucial as its physical presence, securing online assets has never been more paramount. The discovery of vulnerabilities CVE-2024-3197 and CVE-2024-3199 in "The Plus Addons for Elementor," a plugin integral to many WordPress sites, starkly highlights the risks lurking in overlooked updates. These vulnerabilities not only threaten to compromise user data but also expose websites to manipulations by unauthorized entities. This scenario is a clarion call to all website operators about the enduring need for vigilance and proactive security measures.
Vulnerability Overview:
The Plus Addons for Elementor has suffered from two serious XSS vulnerabilities in its recent versions up to and including 5.4.2. These flaws could allow authenticated users with at least contributor-level access to inject harmful scripts through:
- Custom Attributes (CVE-2024-3197)
- Countdown Widget (CVE-2024-3199)
Both vulnerabilities arise from insufficient input sanitization and output escaping, enabling the execution of arbitrary web scripts whenever a user accesses an injected page.
Risks and Potential Impacts:
The impact of these vulnerabilities extends beyond mere unauthorized data access. By exploiting these vulnerabilities, attackers could modify the appearance and functionality of the website, redirect visitors to malicious sites, or even hijack user sessions. This level of compromise could damage a business’s reputation, erode customer trust, and result in significant financial and data losses.
Remediation Steps:
- Immediate Update: Upgrade to version 5.5.0 immediately, as this version includes necessary patches for the vulnerabilities.
- Site Audit: Conduct a thorough check of the site’s plugins and theme files for any unusual or suspicious modifications.
- Regular Monitoring: Implement regular monitoring of the website’s access logs and user activities to detect and respond to anomalies quickly.
Previous Vulnerabilities:
The Plus Addons for Elementor has encountered seven vulnerabilities since April 13, 2021, highlighting a pattern that necessitates ongoing scrutiny and regular updates.
Conclusion:
The swift patching of these vulnerabilities by posimyththemes demonstrates their commitment to security and the importance of timely updates. For small business owners, especially those with limited time to oversee their digital platforms, it's crucial to implement automated security solutions and keep abreast of updates and best practices in website maintenance. Ensuring that your website’s plugins are up-to-date is not just about enhancing functionality—it’s about fortifying your business against invisible threats.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.