CVE-2024-3489
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform reflected cross-site scripting attacks via the Countdown Expired Title parameter in the Exclusive Addons for Elementor WordPress plugin. Attackers can inject malicious scripts that execute when users click specially crafted links, potentially stealing session cookies or redirecting to malicious sites. All WordPress sites using this plugin up to version 2.6.9.4 are affected.
💻 Affected Systems
- Exclusive Addons for Elementor WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain administrative access to WordPress, install backdoors, deface websites, or steal sensitive user data.
Likely Case
Attackers steal user session cookies, perform account takeovers, redirect users to phishing sites, or display malicious content.
If Mitigated
With proper Content Security Policy headers and modern browser XSS protections, script execution may be blocked, limiting impact to failed attack attempts.
🎯 Exploit Status
Reflected XSS vulnerabilities are commonly weaponized. Attack requires social engineering to trick users into clicking malicious links.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.6.9.5 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3074085/exclusive-addons-for-elementor/trunk/elements/countdown-timer/countdown-timer.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Exclusive Addons for Elementor'. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Countdown Timer Element
allTemporarily disable the vulnerable countdown timer element until patching is possible.
Navigate to WordPress admin → Elementor → Exclusive Addons → Elements → Disable 'Countdown Timer'
Implement Content Security Policy
allAdd CSP headers to restrict script execution sources and mitigate XSS impact.
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or configure via web server settings
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block XSS payloads in URL parameters
- Disable the Exclusive Addons plugin entirely until patching is possible
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Exclusive Addons for Elementor → Version number. If version is 2.6.9.4 or lower, you are vulnerable.Check Version:
wp plugin list --name='exclusive-addons-for-elementor' --field=versionVerify Fix Applied:
After updating, verify version is 2.6.9.5 or higher. Test countdown timer functionality works without errors.📡 Detection & Monitoring
Log Indicators:
- Unusual GET requests with script tags in 'expired_title' parameter
- Multiple failed XSS attempts in web server logs
- Suspicious referrer URLs containing script payloads
Network Indicators:
- HTTP requests with JavaScript in URL parameters
- Unusual traffic patterns to countdown timer endpoints
SIEM Query:
source="web_logs" AND (uri="*expired_title*" AND (uri="*<script*" OR uri="*javascript:*" OR uri="*onload=*"))🔗 References
- https://plugins.trac.wordpress.org/changeset/3074085/exclusive-addons-for-elementor/trunk/elements/countdown-timer/countdown-timer.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/76b987f1-2524-498a-a02c-a3ca390026e1?source=cve
- https://plugins.trac.wordpress.org/changeset/3074085/exclusive-addons-for-elementor/trunk/elements/countdown-timer/countdown-timer.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/76b987f1-2524-498a-a02c-a3ca390026e1?source=cve
