CVE-2024-3638 – This stored XSS vulnerability in the Elementor ... (How to Fix)

Q: What is the severity of CVE-2024-3638?

CVE-2024-3638 has a CVSS score of 6.4 (MEDIUM). This stored XSS vulnerability in the Elementor Addons by Livemesh WordPress plugin allows authenticated attackers with contributor-level access or higher to inject malicious scripts into web pages. The scripts execute when users visit compromised pages, potentially stealing session cookies, redirecting users, or performing actions on their behalf. All WordPress sites using this plugin up to version 8.3.7 are affected.

📋 TL;DR

This stored XSS vulnerability in the Elementor Addons by Livemesh WordPress plugin allows authenticated attackers with contributor-level access or higher to inject malicious scripts into web pages. The scripts execute when users visit compromised pages, potentially stealing session cookies, redirecting users, or performing actions on their behalf. All WordPress sites using this plugin up to version 8.3.7 are affected.

💻 Affected Systems

Products:

Elementor Addons by Livemesh WordPress plugin

Versions: All versions up to and including 8.3.7

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with Elementor plugin and Livemesh addons installed. Contributor-level authentication is required for exploitation.

📦 What is this software?

Addons For Elementor by Livemeshelementor

View all CVEs affecting Addons For Elementor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, take over WordPress sites, install backdoors, deface websites, or redirect visitors to malicious sites.

🟠

Likely Case

Attackers with contributor accounts inject malicious scripts to steal user session data, display unwanted content, or redirect users to phishing pages.

🟢

If Mitigated

With proper user access controls and content security policies, impact is limited to minor content manipulation within the contributor's own posts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once an attacker has contributor credentials. The vulnerability is in specific widget templates with insufficient output escaping.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.3.8

Vendor Advisory: https://wordpress.org/plugins/addons-for-elementor/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'Elementor Addons by Livemesh'. 4. Click 'Update Now' if available, or manually update to version 8.3.8+. 5. Clear any caching plugins/CDN caches.

🔧 Temporary Workarounds

Disable vulnerable widgets

all

Temporarily disable the Marquee Text Widget, Testimonials Widget, and Testimonial Slider widgets in Elementor settings

Implement Content Security Policy

linux

Add CSP headers to restrict script execution sources

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https:;"
Or add to wp-config.php: header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https:");

🧯 If You Can't Patch

Restrict contributor accounts: Review and remove unnecessary contributor-level users, implement strong password policies, and enable 2FA for all users.
Implement WAF rules: Configure web application firewall to block XSS payloads in POST requests to WordPress admin-ajax.php and widget update endpoints.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins → Elementor Addons by Livemesh version. If version is 8.3.7 or lower, you are vulnerable.

Check Version:

wp plugin list --name='Elementor Addons by Livemesh' --field=version (WP-CLI) or check wp-content/plugins/addons-for-elementor/readme.txt

Verify Fix Applied:

After updating, verify plugin version shows 8.3.8 or higher in WordPress admin plugins page.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-admin/admin-ajax.php with widget update actions
Multiple failed login attempts followed by successful contributor login
User agent strings containing XSS payload patterns in WordPress logs

Network Indicators:

POST requests containing script tags or javascript: URIs in widget parameter fields
Unusual outbound connections from your WordPress site after widget updates

SIEM Query:

source="wordpress.log" AND ("admin-ajax.php" AND ("marquee" OR "testimonial" OR "slider") AND ("<script" OR "javascript:" OR "onerror="))

📊 Metadata

CVE ID: CVE-2024-3638

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: July 4, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3638, you might also want to check these: