Unlimited Elements For Elementor (Free Widgets, Addons, Templates) Vulnerability – Authenticated (Contributor+) Information Exposure, Blind SQL Injection – CVE-2024-35674, CVE-2024-5329 | WordPress Plugin Vulnerability Report
Plugin Name: Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
Key Information:
- Software Type: Plugin
- Software Slug: unlimited-elements-for-elementor
- Software Status: Active
- Software Author: unitecms
- Software Downloads: 8,821,358
- Active Installs: 200,000
- Last Updated: June 20, 2024
- Patched Versions: 1.5.110
- Affected Versions: <= 1.5.109
Vulnerability 1 Details:
- Name: Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.109
- Title: Authenticated (Contributor+) Information Exposure
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- CVE: CVE-2024-35674
- CVSS Score: 4.3
- Publicly Published: June 5, 2024
- Researcher: Khalid
- Description: The plugin is vulnerable to Sensitive Information Exposure due to missing restrictions on the getPostDataByObj() function, allowing authenticated attackers with Contributor-level access and above to view password protected posts.
Vulnerability 2 Details:
- Name: Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.109
- Title: Authenticated (Contributor+) Blind SQL Injection via data[addonID] Parameter
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- CVE: CVE-2024-5329
- CVSS Score: 8.8
- Publicly Published: June 5, 2024
- Researcher: shaman0x01 - Shaman Red Team
- Description: The plugin is vulnerable to Blind SQL Injection via the ‘data[addonID]’ parameter, allowing authenticated attackers with Contributor-level access and above to execute arbitrary SQL queries, potentially extracting sensitive information from the database.
Summary:
The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress has vulnerabilities in versions up to and including 1.5.109 that allow authenticated contributors and above to view password protected posts and perform Blind SQL Injection attacks. These vulnerabilities have been patched in version 1.5.110.
Detailed Overview:
These vulnerabilities stem from insufficient input sanitization and lack of proper query preparation in the plugin’s codebase. The Information Exposure flaw enables attackers to bypass access restrictions, accessing sensitive post content intended for authorized users only. On the other hand, the Blind SQL Injection vulnerability poses a severe threat, potentially leading to data theft and unauthorized database access. Users are strongly advised to update to version 1.5.110 or later to mitigate these risks.
Advice for Users:
Immediate Action: Update Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin to version 1.5.110 or later immediately. Check for Signs of Vulnerability: Monitor post access logs for unauthorized views and database query logs for abnormal activity. Alternate Plugins: Consider temporarily disabling the plugin or using alternative solutions until the update is applied. Stay Updated: Regularly update all WordPress plugins to their latest versions to prevent vulnerabilities and enhance overall site security.
Conclusion:
The prompt response from Unlimited Elements For Elementor developers in releasing version 1.5.110 underscores the importance of timely updates. Users must ensure they are running version 1.5.110 or higher to secure their WordPress installations against potential exploits.
References:
Detailed Report:
In today's digital landscape, maintaining the security of your website isn't just good practice—it's essential. The recent discovery of vulnerabilities in the Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin serves as a stark reminder of the risks posed by outdated software. With CVE-2024-35674 and CVE-2024-5329 affecting versions up to 1.5.109, authenticated attackers with Contributor-level access and above could exploit these flaws to access sensitive data and execute unauthorized SQL queries, potentially compromising your site's integrity.
Risks/Potential Impacts:
These vulnerabilities stem from insufficient input sanitization and lack of proper query preparation in the plugin’s codebase. The Information Exposure flaw enables attackers to bypass access restrictions, accessing sensitive post content intended for authorized users only. On the other hand, the Blind SQL Injection vulnerability poses a severe threat, potentially leading to data theft and unauthorized database access.
Overview of Previous Vulnerabilities:
Prior to these incidents, there have been 15 documented vulnerabilities since March 4, 2022, underscoring the importance of proactive security measures and staying updated with plugin updates.
Conclusion:
The prompt response from Unlimited Elements For Elementor developers in releasing version 1.5.110 underscores the importance of timely updates. Small business owners and WordPress website administrators must prioritize regular software updates to protect their websites from potential exploits and safeguard sensitive data. By staying vigilant and proactive, you can mitigate risks and maintain the security and trustworthiness of your online presence.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.