CVE-2024-11601
📋 TL;DR
This CSRF vulnerability in Sky Addons for Elementor allows unauthenticated attackers to modify WordPress site options via forged requests that trick administrators into clicking malicious links. All WordPress sites using this plugin up to version 2.6.1 are affected. Attackers can change configuration settings that accept array values, potentially altering site behavior or enabling further attacks.
💻 Affected Systems
- Sky Addons for Elementor WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify critical WordPress options to enable remote code execution, change site URLs to phishing domains, disable security plugins, or inject malicious code into site configurations.
Likely Case
Attackers modify less critical options to deface the site, redirect users to malicious sites, or change settings that degrade site functionality or user experience.
If Mitigated
With proper CSRF protections and admin awareness, exploitation attempts fail as nonces prevent unauthorized option changes.
🎯 Exploit Status
Exploitation requires social engineering to trick administrators into clicking malicious links. No authentication needed for the CSRF attack itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2.6.1
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Sky Addons for Elementor' and check if update is available. 4. Click 'Update Now' if update is available. 5. Alternatively, download latest version from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched version is available
wp plugin deactivate sky-elementor-addons
CSRF Protection Headers
allImplement additional CSRF protection via web server headers
# Add to .htaccess for Apache:
Header set X-Frame-Options "SAMEORIGIN"
Header set Content-Security-Policy "frame-ancestors 'self'"
# Add to nginx config:
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Content-Security-Policy "frame-ancestors 'self'" always;
🧯 If You Can't Patch
- Remove the Sky Addons for Elementor plugin completely and use alternative Elementor addons
- Implement strict admin access controls and educate administrators about phishing risks
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Sky Addons for Elementor' version. If version is 2.6.1 or lower, you are vulnerable.Check Version:
wp plugin get sky-elementor-addons --field=versionVerify Fix Applied:
After updating, verify plugin version is higher than 2.6.1 in WordPress admin panel. Check that the save_options() function in includes/admin.php now includes proper nonce validation.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with action=sky_elementor_addons_save_options from unexpected sources
- Unusual option changes in WordPress database without corresponding admin actions
Network Indicators:
- CSRF attack patterns with forged requests containing option array parameters
- Requests to admin endpoints without proper referrer headers or nonces
SIEM Query:
source="wordpress.log" AND (url_path="/wp-admin/admin-ajax.php" AND parameters.action="sky_elementor_addons_save_options") AND NOT user_agent CONTAINS expected_admin_pattern🔗 References
- https://plugins.trac.wordpress.org/browser/sky-elementor-addons/tags/2.6.1/includes/admin.php#L1267
- https://plugins.trac.wordpress.org/browser/sky-elementor-addons/tags/2.6.1/includes/admin.php#L1290
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3189030%40sky-elementor-addons&new=3189030%40sky-elementor-addons&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5b951fd9-0fbf-4576-80a9-dbb053c3da92?source=cve
