CVE-2024-3728 – This vulnerability allows authenticated WordPre... (How to Fix)

📋 TL;DR

This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into web pages using the Essential Addons for Elementor plugin's Filterable Gallery and Interactive Circle widgets. The scripts execute whenever users visit compromised pages, enabling attackers to steal session cookies, redirect users, or perform other malicious actions. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders

Versions: All versions up to and including 5.9.15

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with the Essential Addons for Elementor plugin installed and at least one contributor-level user account.

📦 What is this software?

Essential Addons For Elementor by Wpdeveloper

View all CVEs affecting Essential Addons For Elementor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, redirect users to malicious sites, deface websites, or install backdoors for persistent access.

🟠

Likely Case

Malicious contributors or compromised accounts inject tracking scripts, adware, or credential-stealing scripts into website pages.

🟢

If Mitigated

With proper user access controls and content review processes, only trusted users can create/modify content, limiting exploitation risk.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires contributor-level WordPress access. Attack vectors include compromised accounts or malicious insiders.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.9.16

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3075644/essential-addons-for-elementor-lite/tags/5.9.16/

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Essential Addons for Elementor'
4. Click 'Update Now' if available
5. If not, download version 5.9.16+ from WordPress repository
6. Deactivate old version
7. Upload and activate new version

🔧 Temporary Workarounds

Disable vulnerable widgets

all

Temporarily disable Filterable Gallery and Interactive Circle widgets in plugin settings

Restrict user roles

all

Limit contributor-level access to trusted users only

🧯 If You Can't Patch

Implement strict user access controls and review all content from contributor-level users
Use web application firewall (WAF) rules to block XSS payloads targeting these widgets

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins → Essential Addons for Elementor version. If version is 5.9.15 or lower, you are vulnerable.

Check Version:

wp plugin list --name='essential-addons-for-elementor' --field=version

Verify Fix Applied:

After updating, verify version shows 5.9.16 or higher in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

Unusual content modifications by contributor-level users
Suspicious script tags in page content containing 'eael-filterable-gallery' or 'eael-interactive-circle'

Network Indicators:

Unexpected JavaScript execution from page elements using vulnerable widget classes

SIEM Query:

source="wordpress.log" AND ("eael-filterable-gallery" OR "eael-interactive-circle") AND ("script" OR "onclick" OR "javascript:")

📊 Metadata

CVE ID: CVE-2024-3728

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: May 2, 2024

Last Updated: January 8, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3728, you might also want to check these: