CVE-2024-12328
📋 TL;DR
The MAS Elementor WordPress plugin allows authenticated attackers with Author-level access or higher to upload malicious SVG files containing cross-site scripting (XSS) payloads. When users view these uploaded SVG files, the malicious scripts execute in their browsers, potentially stealing session cookies or performing actions on their behalf. This affects all WordPress sites using MAS Elementor plugin versions 1.1.7 and earlier.
💻 Affected Systems
- MAS Addons for Elementor (WordPress plugin)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over WordPress sites, deface websites, inject malware, or redirect visitors to malicious sites.
Likely Case
Attackers with compromised author accounts inject malicious scripts to steal user session data, display unwanted content, or perform limited site modifications.
If Mitigated
With proper user access controls and content security policies, impact is limited to isolated script execution without significant privilege escalation.
🎯 Exploit Status
Exploitation requires authenticated access (Author role minimum). SVG file upload with embedded JavaScript is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.8 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'MAS Addons for Elementor'. 4. Click 'Update Now' if available, or download version 1.1.8+ from WordPress repository. 5. Activate updated plugin.
🔧 Temporary Workarounds
Disable SVG uploads via .htaccess
linuxPrevent SVG file uploads at web server level
Add to .htaccess: <FilesMatch "\.svg$">
Order Allow,Deny
Deny from all
</FilesMatch>
Restrict user roles
allLimit users with Author role or higher to trusted individuals only
🧯 If You Can't Patch
- Disable MAS Elementor plugin completely until patched
- Implement Content Security Policy (CSP) headers to restrict script execution from uploaded files
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → MAS Addons for Elementor version numberCheck Version:
wp plugin list --name='mas-addons-for-elementor' --field=versionVerify Fix Applied:
Confirm plugin version is 1.1.8 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual SVG file uploads by Author-level users
- Multiple failed SVG upload attempts
- User role escalation patterns
Network Indicators:
- HTTP POST requests to /wp-admin/async-upload.php with SVG files
- SVG files containing script tags in uploads directory
SIEM Query:
source="wordpress.log" AND ("uploaded" AND ".svg") OR ("mas-elementor" AND "svg")