WordPress Plugin Vulnerability Report – Elementor Addon Elements – Cross-Site Request Forgery – CVE-2023-4690

Plugin Name: Elementor Addon Elements

Key Information:

  • Software Type: Plugin
  • Software Slug: addon-elements-for-elementor-page-builder
  • Software Status: Active
  • Software Author: webtechstreet
  • Software Downloads: 2,143,312
  • Active Installs: 100,000
  • Last Updated: November 15, 2023
  • Patched Versions: 1.12.8
  • Affected Versions: <= 1.12.7

Vulnerability Details:

  • Name: Elementor Addon Elements <= 1.12.7 - Cross-Site Request Forgery
  • Title: Cross-Site Request Forgery
  • Type: Cross-Site Request Forgery (CSRF)
  • CVE: CVE-2023-4690
  • CVSS Score: 5.4 (Medium)
  • Publicly Published: November 15, 2023
  • Researcher: Marco Wotschka and Paolo Tresso
  • Description: The Elementor Addon Elements plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.12.7. This is due to missing or incorrect nonce validation on the eae_save_config function. This makes it possible for unauthenticated attackers to change configuration settings for the plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Summary:

The Elementor Addon Elements plugin for WordPress has a vulnerability in versions up to and including 1.12.7 that allows unauthenticated attackers to change configuration settings via a forged request. This vulnerability has been patched in version 1.12.8.

Detailed Overview:

The Elementor Addon Elements plugin up to version 1.12.7 is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the eae_save_config function. This allows attackers to send forged requests that change configuration settings for the plugin, as long as they can trick an administrator into clicking a link or performing another action. This could allow attackers to modify settings or insert malicious code. The vulnerability was reported by researchers Marco Wotschka and Paolo Tresso and has been fixed in version 1.12.8 with proper nonce validation. This medium severity vulnerability puts WordPress sites using vulnerable versions of the plugin at risk. Users should update to the latest patched release as soon as possible.

Advice for Users:

  1. Immediate Action: Update to Elementor Addon Elements version 1.12.8 or higher.
  2. Check for Signs of Vulnerability: Review your plugin configuration settings for any unauthorized changes.
  3. Alternate Plugins: Consider alternate page builder plugins like Beaver Builder or WPBakery as a precaution.
  4. Stay Updated: Ensure all plugins, themes, and WordPress core are kept updated to avoid vulnerabilities.

Conclusion:

The prompt response by the developers to patch this CSRF vulnerability in Elementor Addon Elements shows the importance of a timely security response. Users should ensure they are running version 1.12.8 or later to secure their sites.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/addon-elements-for-elementor-page-builder

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/addon-elements-for-elementor-page-builder/elementor-addon-elements-1127-cross-site-request-forgery

Detailed Report:

Keeping your WordPress website secure should be a top priority for any website owner. Unfortunately, vulnerabilities in plugins and themes are frequently disclosed that can put your site at risk if left unpatched.

One such vulnerability was recently disclosed in the popular Elementor Addon Elements plugin, used by over 100,000 WordPress sites. Versions up to and including 1.12.7 contain a cross-site request forgery (CSRF) vulnerability that could allow attackers to modify plugin settings if they trick an admin into clicking a link.

Elementor Addon Elements is a popular plugin with over 2 million downloads that provides additional widgets and templates for use with the Elementor page builder. This vulnerability affects all versions up to and including 1.12.7.

The vulnerability allows attackers to send forged requests to change the plugin's configuration settings if they can trick an administrator into clicking a malicious link or performing another action. This is possible because the plugin does not properly validate nonces on the eae_save_config function that handles saving settings changes.

This could enable attackers to modify settings or insert malicious code without authorization. The vulnerability has a CVSS score of 5.4 out of 10, making it a medium severity issue.

While the developers have released version 1.12.8 to patch this issue, many sites likely still run the affected versions. It's critical to update plugins like Elementor Addon Elements as soon as possible when vulnerabilities are found to prevent compromise.

To remediate this issue, users should update to version 1.12.8 or higher, which addresses the vulnerability with proper nonce validation. It is also recommended to review plugin settings for any unauthorized modifications. Alternate page builder plugins can be considered as a precaution as well.

This is the 9th vulnerability disclosed in Elementor Addon Elements since September 2020, illustrating the importance of prompt security updates. Outdated plugins and themes are the number one threat to WordPress sites.

As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.

Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.

WordPress Plugin Vulnerability Report – Elementor Addon Elements – Cross-Site Request Forgery – CVE-2023-4690 FAQs

Leave a Comment