CVE-2024-10784
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to inject malicious scripts into pages using the Unlimited Elements for Elementor plugin's Tile Gallery widget. The scripts execute whenever other users view the compromised pages, enabling persistent cross-site scripting attacks. All WordPress sites using this plugin up to version 1.5.126 are affected.
💻 Affected Systems
- Unlimited Elements For Elementor (Free Widgets, Addons, Templates) WordPress plugin
📦 What is this software?
Unlimited Elements For Elementor by Unlimited Elements
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, redirect users to malicious sites, deface websites, or perform actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Attackers with contributor access inject malicious scripts that steal user session cookies or credentials, leading to account takeover and privilege escalation.
If Mitigated
With proper user access controls and content security policies, impact is limited to defacement or limited data exposure from affected pages.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has Contributor-level credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.127 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Unlimited Elements For Elementor'. 4. Click 'Update Now' if available, or manually update to version 1.5.127+. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Disable Tile Gallery Widget
allTemporarily disable the vulnerable Tile Gallery widget until patching is possible
Navigate to Elementor → Settings → Advanced → Disable 'Tile Gallery' widget
Restrict User Roles
allTemporarily remove Contributor role access or restrict who can create/edit posts
Use WordPress role management plugins or manually edit user capabilities
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Regularly audit user accounts and remove unnecessary Contributor-level access
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Unlimited Elements For Elementor → Version number. If version is 1.5.126 or lower, you are vulnerable.Check Version:
wp plugin list --name='unlimited-elements-for-elementor' --field=versionVerify Fix Applied:
After updating, verify plugin version shows 1.5.127 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with Tile Gallery parameters
- Multiple page edits by Contributor users in short timeframes
Network Indicators:
- External script loads from unexpected domains in page responses
- Suspicious JavaScript in page content containing 'tile_gallery' references
SIEM Query:
source="wordpress.log" AND ("tile_gallery" OR "unlimited_elements") AND ("POST" OR "admin-ajax")