CVE-2024-3197
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into pages using The Plus Addons for Elementor plugin. The scripts execute whenever users view the compromised pages, enabling potential session hijacking, defacement, or malware distribution. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- The Plus Addons for Elementor WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, redirect users to malicious sites, install backdoors, or completely compromise the WordPress site and potentially the server.
Likely Case
Site defacement, cookie theft leading to account takeover, or injection of cryptocurrency miners/adware on visitor browsers.
If Mitigated
Limited to low-privilege user account compromise if proper access controls and content security policies are implemented.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has contributor-level credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.5.0
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'The Plus Addons for Elementor'. 4. Click 'Update Now' if available, or download version 5.5.0+ from WordPress repository. 5. Activate the updated plugin.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate The Plus Addons for Elementor plugin until patched
wp plugin deactivate the-plus-addons-for-elementor
Restrict user roles
allLimit contributor-level access and review user permissions
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Use web application firewall (WAF) rules to block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 5.4.2 or lower, you are vulnerable.Check Version:
wp plugin get the-plus-addons-for-elementor --field=versionVerify Fix Applied:
Confirm plugin version is 5.5.0 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to widget update endpoints
- Suspicious script tags in page content
- Multiple failed login attempts followed by successful contributor-level login
Network Indicators:
- Outbound connections to suspicious domains from your WordPress site
- Unexpected script loads in page responses
SIEM Query:
source="wordpress.log" AND ("the-plus-addons" OR "elementor") AND ("update" OR "widget" OR "attribute")🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3056776%40the-plus-addons-for-elementor-page-builder%2Ftags%2F5.4.2&new=3076733%40the-plus-addons-for-elementor-page-builder%2Ftags%2F5.5.0
- https://www.wordfence.com/threat-intel/vulnerabilities/id/af650c7a-c413-4f4a-9e4b-8ddcd8da5397?source=cve
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3056776%40the-plus-addons-for-elementor-page-builder%2Ftags%2F5.4.2&new=3076733%40the-plus-addons-for-elementor-page-builder%2Ftags%2F5.5.0
- https://www.wordfence.com/threat-intel/vulnerabilities/id/af650c7a-c413-4f4a-9e4b-8ddcd8da5397?source=cve
