CVE-2024-13649
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to inject malicious scripts into website pages through the Xpro Elementor Addons plugin. The stored XSS payload executes whenever users visit compromised pages, potentially affecting all visitors. The vulnerability exists due to insufficient input sanitization in multiple widgets.
💻 Affected Systems
- 140+ Widgets | Xpro Addons For Elementor – FREE WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, deface websites, or perform actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session cookies or redirect visitors to phishing/malware sites, compromising user accounts and site integrity.
If Mitigated
With proper user role management and content review, impact is limited to defacement or minor script injection affecting only specific pages.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once an attacker has contributor-level credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.4.6.7
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Xpro Elementor Addons'. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate xpro-elementor-addons
User Role Restriction
allTemporarily restrict contributor-level users from editing content
Use WordPress role management plugins or custom code to modify capabilities
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit script execution
- Review and audit all content created by contributor-level users for suspicious scripts
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin → Plugins → Installed Plugins. If version is 1.4.6.7 or lower, you are vulnerable.Check Version:
wp plugin get xpro-elementor-addons --field=versionVerify Fix Applied:
After update, verify plugin version is higher than 1.4.6.7. Test widget functionality to ensure no regression.📡 Detection & Monitoring
Log Indicators:
- Unusual content modifications by contributor users
- Multiple page edits in short timeframes
- Script tags in post/page content from non-admin users
Network Indicators:
- External script loads from unexpected domains in page responses
- Suspicious redirects from legitimate pages
SIEM Query:
source="wordpress" (event="post_modified" OR event="page_updated") user_role="contributor" content CONTAINS "<script>"🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3235058%40xpro-elementor-addons&new=3235058%40xpro-elementor-addons&sfp_email=&sfph_mail=
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3248584%40xpro-elementor-addons&new=3248584%40xpro-elementor-addons&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/43192613-ce5b-4acc-b284-f40cad7cb8df?source=cve
