CVE-2024-11937
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into website pages through the Premium Addons for Elementor plugin's Mobile Menu element. The stored XSS payload executes whenever users visit compromised pages, potentially affecting all visitors to vulnerable WordPress sites.
💻 Affected Systems
- Premium Addons for Elementor WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, deface websites, or perform actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Attackers with contributor access inject malicious scripts that steal user session data or redirect visitors to phishing pages, compromising user accounts and site integrity.
If Mitigated
With proper user access controls and content security policies, impact is limited to potential defacement of specific pages without broader system compromise.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once attacker has contributor privileges. The vulnerability is publicly documented with technical details available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.10.70 and later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Premium Addons for Elementor'. 4. Click 'Update Now' if available, or download version 4.10.70+ from WordPress repository. 5. Activate updated plugin.
🔧 Temporary Workarounds
Remove Contributor Access
allTemporarily restrict contributor-level user creation and review existing contributor accounts
Disable Mobile Menu Element
allRemove or disable the vulnerable Mobile Menu element from all pages
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit script execution
- Review and audit all contributor-level user accounts and their recent content changes
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Premium Addons for Elementor → Version number. If version is 4.10.69 or lower, system is vulnerable.Check Version:
wp plugin list --name='premium-addons-for-elementor' --field=versionVerify Fix Applied:
Verify plugin version is 4.10.70 or higher in WordPress admin panel. Test Mobile Menu element functionality remains working.📡 Detection & Monitoring
Log Indicators:
- Unusual content modifications by contributor users
- Multiple page edits targeting Mobile Menu elements
- Suspicious script tags in page content
Network Indicators:
- Unexpected external script loads from WordPress pages
- Suspicious redirects from legitimate pages
SIEM Query:
source="wordpress" AND (event="page_edit" OR event="plugin_update") AND (user_role="contributor" OR plugin_name="premium-addons-for-elementor")🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3210517%40premium-addons-for-elementor%2Ftrunk&old=3208033%40premium-addons-for-elementor%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/26337385-646f-4129-99be-7fa020f67f8e?source=cve
