CVE-2024-3134
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into web pages using the Master Addons plugin. The stored XSS payload executes whenever users visit compromised pages, potentially affecting all visitors to vulnerable WordPress sites.
💻 Affected Systems
- Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor
📦 What is this software?
Master Addons by Master Addons
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, deface websites, or perform actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session data or redirect visitors to phishing sites, compromising user privacy and site integrity.
If Mitigated
With proper user access controls and content security policies, impact is limited to potential data leakage from users visiting compromised pages.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once attacker has contributor privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.6.1 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3087193%40master-addons%2Ftrunk&old=3078134%40master-addons%2Ftrunk
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Master Addons for Elementor' and click 'Update Now'. 4. Verify update to version 2.0.6.1 or higher.
🔧 Temporary Workarounds
Restrict User Roles
allLimit contributor and author roles to trusted users only
Implement Content Security Policy
allAdd CSP headers to restrict script execution sources
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or add to wp-config.php: header("Content-Security-Policy: default-src 'self'; script-src 'self'");
🧯 If You Can't Patch
- Disable the Master Addons plugin until patched
- Implement strict user access controls and audit contributor accounts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Master Addons for Elementor versionCheck Version:
wp plugin list --name='master-addons' --field=versionVerify Fix Applied:
Confirm plugin version is 2.0.6.1 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin with title_html_tag parameter
- Multiple page edits from contributor accounts
Network Indicators:
- Script tags with unusual attributes in page responses
- External script loads from unexpected domains
SIEM Query:
source="wordpress.log" AND ("title_html_tag" OR "master-addons") AND status=200🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3087193%40master-addons%2Ftrunk&old=3078134%40master-addons%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6106c972-5475-4c19-8630-3a01edc616ad?source=cve
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3087193%40master-addons%2Ftrunk&old=3078134%40master-addons%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6106c972-5475-4c19-8630-3a01edc616ad?source=cve
