The Plus Addons for Elementor Vulnerability- Multiple Stored Cross-Site Scripting Vulnerabilities – CVE-2024-6575 and CVE-2024-5763 | WordPress Plugin Vulnerability Report

Plugin Name: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce

Key Information:

  • Software Type: Plugin
  • Software Slug: the-plus-addons-for-elementor-page-builder
  • Software Status: Active
  • Software Author: posimyththemes
  • Software Downloads: 2,607,204
  • Active Installs: 100,000
  • Last Updated: August 19, 2024
  • Patched Versions: 5.6.3
  • Affected Versions: <= 5.6.2

Vulnerability 1 Details:

  • Name: The Plus Addons for Elementor <= 5.6.2
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via TP Page Scroll Widget
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-6575
  • CVSS Score: 6.4
  • Publicly Published: August 19, 2024
  • Researcher: stealthcopter
  • Description: The Plus Addons for Elementor plugin is vulnerable to Stored Cross-Site Scripting (XSS) via the 'res_width_value' parameter in the TP Page Scroll widget in all versions up to and including 5.6.2. Due to insufficient input sanitization and output escaping, authenticated attackers with Contributor-level access can inject arbitrary web scripts into pages. These scripts will execute whenever a user accesses the affected page, potentially leading to unauthorized actions on the site.

Vulnerability 2 Details:

  • Name: The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 5.6.2
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Video Widget
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-5763
  • CVSS Score: 6.4
  • Publicly Published: August 19, 2024
  • Researcher: João Pedro Soares de Alcântara - Kinorth
  • Description: The Plus Addons for Elementor plugin is also vulnerable to Stored Cross-Site Scripting (XSS) via the 'video_date' attribute in the Video widget in all versions up to and including 5.6.2. Like the TP Page Scroll widget vulnerability, this flaw arises from insufficient input sanitization and output escaping. Authenticated attackers with Contributor-level access can inject arbitrary web scripts that execute whenever an affected page is accessed, leading to potential security risks.

Summary:

The Plus Addons for Elementor plugin for WordPress has two significant vulnerabilities in versions up to and including 5.6.2. These vulnerabilities involve Stored Cross-Site Scripting (XSS) attacks via the TP Page Scroll and Video widgets, allowing authenticated attackers with Contributor-level access to inject malicious scripts into pages. These vulnerabilities have been patched in version 5.6.3.

Detailed Overview:

The vulnerabilities, identified as CVE-2024-6575 and CVE-2024-5763, were discovered by researchers stealthcopter and João Pedro Soares de Alcântara - Kinorth, respectively. Both vulnerabilities stem from the same underlying issue: insufficient input sanitization and output escaping in the TP Page Scroll and Video widgets. These flaws allow authenticated users with Contributor-level access to inject malicious web scripts into pages. When these pages are accessed by other users, the scripts execute, potentially leading to unauthorized actions, data theft, or the spread of malicious content.

The severity of these vulnerabilities is reflected in their CVSS scores of 6.4, indicating a medium risk level. However, given the potential for unauthorized actions on affected sites, these vulnerabilities pose a significant threat to site security.

Advice for Users:

Immediate Action: Users of The Plus Addons for Elementor plugin should update to the patched version 5.6.3 immediately to protect their sites from these vulnerabilities.

Check for Signs of Vulnerability: Review your site for any unusual activity, particularly in pages using the TP Page Scroll or Video widgets. Look for any unexpected scripts or changes to page content.

Alternate Plugins: If you have concerns about the security history of this plugin, you might consider exploring alternative plugins that offer similar functionality while maintaining a strong security track record.

Stay Updated: Always ensure that all your WordPress plugins are updated to their latest versions to avoid vulnerabilities.

Conclusion:

The quick response from the plugin developers in patching these vulnerabilities underscores the importance of staying on top of updates. However, managing updates and security can be challenging for small business owners. If you’re concerned about the security of your website or find it difficult to keep up with these tasks, consider seeking professional assistance. Protecting your site from vulnerabilities like these is crucial for maintaining the trust and safety of your customers.

References:

Detailed Report: 

Maintaining the security of your WordPress website is a critical responsibility that protects your business, customers, and reputation. One of the most effective ways to ensure your site remains secure is by regularly updating your plugins. Outdated plugins can expose your site to serious security risks, making it vulnerable to attacks that could compromise its integrity. A recent example of such a risk is the discovery of two significant vulnerabilities in the popular The Plus Addons for Elementor plugin, which is used on over 100,000 WordPress sites.

Plugin Overview

The Plus Addons for Elementor is a feature-rich plugin that enhances the Elementor page builder by adding various widgets, page templates, and other design elements. Developed by posimyththemes, this plugin has been downloaded over 2.6 million times and is widely used for creating advanced layouts and features in WordPress sites. As of its last update on August 19, 2024, the plugin received a critical security patch in version 5.6.3, addressing two vulnerabilities that affect all previous versions.

Details of the Vulnerabilities

The vulnerabilities, identified as CVE-2024-6575 and CVE-2024-5763, were discovered by security researchers stealthcopter and João Pedro Soares de Alcântara - Kinorth, respectively. Both vulnerabilities are related to Stored Cross-Site Scripting (XSS) and allow authenticated users with Contributor-level access to inject malicious scripts into pages via the TP Page Scroll and Video widgets.

  1. CVE-2024-6575 involves the TP Page Scroll widget, where the 'res_width_value' parameter is insufficiently sanitized, allowing attackers to inject arbitrary web scripts. These scripts execute whenever a user accesses the affected page, potentially leading to unauthorized actions on the site.
  2. CVE-2024-5763 affects the Video widget, where the 'video_date' attribute is vulnerable to the same type of attack. Insufficient input sanitization and output escaping allow attackers to inject scripts that execute when an affected page is viewed.

Both vulnerabilities carry a CVSS score of 6.4, indicating a medium risk level. However, the potential for unauthorized actions, data theft, or the spread of malicious content makes these vulnerabilities a significant threat to your site’s security.

Risks and Potential Impacts

For small business owners, the risks associated with these vulnerabilities are considerable. If exploited, these flaws could:

  • Compromise your website’s security: Injected scripts could perform unauthorized actions, deface your site, or redirect users to malicious sites.
  • Lead to data breaches: Sensitive information could be exposed or stolen, leading to potential legal and financial repercussions.
  • Damage your reputation: A compromised site can erode customer trust, leading to a loss of business and damage to your brand’s reputation.

Given the widespread use of the TP Page Scroll and Video widgets, the potential impacts of these vulnerabilities should not be underestimated.

How to Remediate the Vulnerabilities

Fortunately, the developers of The Plus Addons for Elementor have released a patch in version 5.6.3 to address these vulnerabilities. To secure your website, it is essential to:

  1. Update the Plugin Immediately: Ensure that you are using version 5.6.3 or later. This update closes the vulnerabilities and protects your site from potential exploitation.
  2. Check for Signs of Compromise: Review your site for any unusual activity, particularly on pages using the TP Page Scroll or Video widgets. Look for unexpected scripts or changes to page content.
  3. Consider Alternative Plugins: If you have concerns about the security history of this plugin, you may want to explore other plugins that offer similar functionality but have a stronger security track record.

Overview of Previous Vulnerabilities

It’s important to note that these are not the first vulnerabilities affecting The Plus Addons for Elementor plugin. Since April 13, 2021, there have been 17 previous vulnerabilities reported. This history highlights the importance of remaining vigilant and ensuring that all plugins, especially those with a history of security issues, are regularly updated and monitored.

Conclusion

The swift response from the plugin developers in patching these vulnerabilities underscores the importance of staying on top of updates. However, managing updates and ensuring your website’s security can be particularly challenging for small business owners who may not have the time or expertise to handle these tasks.

If you’re concerned about your website’s security or find it difficult to keep up with necessary updates, consider seeking professional assistance. Keeping your site secure from vulnerabilities like these is crucial for maintaining customer trust and protecting your business. In the ever-evolving landscape of online security, staying proactive is essential.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

The Plus Addons for Elementor Vulnerability- Multiple Stored Cross-Site Scripting Vulnerabilities – CVE-2024-6575 and CVE-2024-5763 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment