CVE-2024-13548
📋 TL;DR
The Power Ups for Elementor WordPress plugin has a stored XSS vulnerability in its 'magic-button' shortcode that allows authenticated attackers with contributor-level access or higher to inject malicious scripts into web pages. These scripts execute whenever users visit the compromised pages, potentially stealing credentials or performing unauthorized actions. All WordPress sites using this plugin up to version 1.2.2 are affected.
💻 Affected Systems
- Power Ups for Elementor WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over the WordPress site, install backdoors, deface the website, or redirect users to malicious sites.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session cookies, perform actions as other users, or display phishing content to visitors.
If Mitigated
With proper user role management and content review processes, the impact is limited to potential defacement or minor data exposure from lower-privileged accounts.
🎯 Exploit Status
Exploitation requires authenticated access with contributor privileges or higher. The vulnerability is in a publicly available shortcode handler.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.3 or later
Vendor Advisory: https://wordpress.org/plugins/power-ups-for-elementor/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Power Ups for Elementor'. 4. Click 'Update Now' if available. 5. If no update appears, download version 1.2.3+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable Magic Button Shortcode
allRemove or disable the vulnerable shortcode functionality
Add to theme's functions.php: remove_shortcode('magic-button');
Restrict User Roles
allLimit contributor-level access to trusted users only
Use WordPress role management plugins to restrict contributor creation
🧯 If You Can't Patch
- Implement strict content review process for all posts/pages created by contributors
- Install and configure a web application firewall (WAF) with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Power Ups for Elementor version. If version is 1.2.2 or lower, you are vulnerable.Check Version:
wp plugin list --name='power-ups-for-elementor' --field=versionVerify Fix Applied:
After updating, verify plugin version shows 1.2.3 or higher in WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin/post.php with magic-button shortcode parameters
- Multiple page edits by contributor accounts in short time period
Network Indicators:
- Script tags with unusual attributes in page responses
- External JavaScript loading from unexpected domains
SIEM Query:
source="wordpress.log" AND ("magic-button" OR "power-ups-elementor") AND (POST OR UPDATE)