CVE-2024-0445
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into pages using The Plus Addons for Elementor plugin. The scripts are stored and execute whenever other users view the compromised pages, potentially stealing credentials or performing unauthorized actions. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- The Plus Addons for Elementor WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session cookies or credentials, leading to account takeover and limited site manipulation.
If Mitigated
With proper user role management and input validation, impact is limited to low-privileged user data exposure if exploitation occurs.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once attacker has contributor privileges. The vulnerability is in multiple widget files as shown in references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.5.0 and later
Vendor Advisory: https://wordpress.org/plugins/the-plus-addons-for-elementor/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'The Plus Addons for Elementor'. 4. Click 'Update Now' if available. 5. Alternatively, download version 5.5.0+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Restrict User Roles
allLimit contributor and author roles to trusted users only, reducing attack surface.
Content Security Policy
linuxImplement CSP headers to restrict script execution sources.
Add to .htaccess: Header set Content-Security-Policy "script-src 'self'"
Add to nginx config: add_header Content-Security-Policy "script-src 'self'";
🧯 If You Can't Patch
- Remove or disable The Plus Addons for Elementor plugin entirely
- Implement strict user role management and audit all contributor-level accounts
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin → Plugins → Installed Plugins. If version is 5.4.2 or lower, you are vulnerable.Check Version:
wp plugin list --name='the-plus-addons-for-elementor' --field=versionVerify Fix Applied:
After updating, verify plugin version shows 5.5.0 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin/admin-ajax.php with plugin-specific parameters
- Multiple page edits by contributor-level users in short timeframes
Network Indicators:
- Unexpected script tags in page responses containing 'theplus-' or plugin-related attributes
SIEM Query:
source="wordpress.log" AND ("tp_flip_box" OR "tp_info_box" OR "tp_pricing_table") AND "admin-ajax.php"🔗 References
- https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/5.3.4/modules/widgets/tp_flip_box.php#L2323
- https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/5.3.4/modules/widgets/tp_info_box.php#L2928
- https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/5.3.4/modules/widgets/tp_pricing_table.php#L2942
- https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/5.5.0/modules/widgets/tp_flip_box.php#L2388
- https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/5.5.0/modules/widgets/tp_info_box.php#L2997
- https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/5.5.0/modules/widgets/tp_pricing_table.php#L2960
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a412e682-869a-46ba-a2d0-d84ed542adc9?source=cve
- https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/5.3.4/modules/widgets/tp_flip_box.php#L2323
- https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/5.3.4/modules/widgets/tp_info_box.php#L2928
- https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/5.3.4/modules/widgets/tp_pricing_table.php#L2942
- https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/5.5.0/modules/widgets/tp_flip_box.php#L2388
- https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/5.5.0/modules/widgets/tp_info_box.php#L2997
- https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/5.5.0/modules/widgets/tp_pricing_table.php#L2960
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a412e682-869a-46ba-a2d0-d84ed542adc9?source=cve
