CVE-2024-2784
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into web pages using the The Plus Addons for Elementor plugin's Hover Card widget. The scripts execute whenever users visit the compromised pages, enabling attackers to steal session cookies, redirect users, or perform other malicious actions. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- The Plus Addons for Elementor WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over the WordPress site, deface pages, redirect visitors to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session data, display unwanted content, or redirect users to phishing pages.
If Mitigated
With proper user access controls and content security policies, impact is limited to potential defacement of specific pages containing the vulnerable widget.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has contributor-level credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.5.5
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3090866/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'The Plus Addons for Elementor'. 4. Click 'Update Now' if available, or download version 5.5.5+ from WordPress repository. 5. Activate the updated plugin.
🔧 Temporary Workarounds
Disable Hover Card Widget
allTemporarily disable the vulnerable Hover Card widget in Elementor settings
Restrict User Roles
allLimit contributor-level access to trusted users only
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Remove contributor access from untrusted users and audit existing contributor accounts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → The Plus Addons for Elementor → Version number. If version is 5.5.4 or lower, you are vulnerable.Check Version:
wp plugin list --name='the-plus-addons-for-elementor' --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 5.5.5 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin/admin-ajax.php with Hover Card widget parameters
- Multiple failed login attempts followed by successful contributor-level login
Network Indicators:
- Unexpected script tags in page responses containing 'tp-hover-card' classes or attributes
SIEM Query:
source="wordpress.log" AND "tp-hover-card" AND ("script" OR "onerror" OR "onload")🔗 References
- https://plugins.trac.wordpress.org/changeset/3090866/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/cc6fdb7c-b750-4f03-9785-a9dc7573580d?source=cve
- https://plugins.trac.wordpress.org/changeset/3090866/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/cc6fdb7c-b750-4f03-9785-a9dc7573580d?source=cve
