CVE-2024-4378: Premium Addons for Elementor Plugin for WordPress - Stored Cross-Site Scripting Vulnerability

The recently discovered vulnerability, CVE-2024-4378, affects the Premium Addons for Elementor plugin for WordPress and carries severe security risks for users. This vulnerability allows authenticated attackers with contributor-level access (or higher) to exploit the plugin's menu and shape widgets by injecting malicious web scripts, which can execute when an unsuspecting user accesses a compromised page.

Affected Versions

- All versions of the Premium Addons for Elementor plugin for WordPress until and including version 4.10.30

Vulnerability Details

The root cause of this vulnerability lies in the lack of sufficient input sanitization and output escaping when processing user-supplied attributes within the plugin's menu and shape widgets. This oversight ultimately leads to Stored Cross-Site Scripting (XSS) attacks, a serious security issue.

An attacker with at least contributor-level access to the WordPress site can exploit this vulnerability by injecting JavaScript code into the affected plugin's widgets. When a user visits a page containing the malicious script, it executes, potentially triggering a range of exploits, such as stealing sensitive user data, redirecting users to nefarious websites, or performing actions on their behalf without their knowledge or consent.

Consider this example of a malicious code injection

<script>alert('XSS Vulnerability in Premium Addons for Elementor');</script>

Embedding this script into one of the vulnerable widgets will generate a browser alert for any user visiting the page, indicating the site's vulnerability to the more dangerous exploits mentioned above.

Mitigation

It is vital for website administrators using the Premium Addons for Elementor plugin to take immediate action to secure their websites. The developers of Premium Addons for Elementor have released a patch to address this vulnerability in version 4.10.31. Users should update their plugin as soon as possible to protect against this vulnerability.

If an update is available, click "Update Now" to install the latest version

Alternatively, users can visit the plugin's official WordPress repository page here and download the updated version.

Conclusion

CVE-2024-4378 poses a significant threat to the security and privacy of all WordPress users who've installed the Premium Addons for Elementor plugin for versions 4.10.30 and below. By exploiting this vulnerability, cybercriminals can gain unauthorized access to sensitive data and control various site operations without users' consent. It is imperative to update the plugin to the latest version immediately and maintain vigilance regarding future security updates to protect against similar threats.

Timeline

Published on: 05/23/2024 11:15:24 UTC
Last modified on: 06/04/2024 17:55:10 UTC