CVE-2024-3819
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into pages using the Jeg Elementor Kit plugin's Banner widget. The scripts are stored and execute whenever users view the compromised pages, enabling session hijacking, credential theft, or site defacement. All WordPress sites using vulnerable versions of the Jeg Elementor Kit plugin are affected.
💻 Affected Systems
- Jeg Elementor Kit WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access, steal sensitive data, install backdoors, or redirect users to malicious sites, potentially compromising the entire WordPress installation and user data.
Likely Case
Attackers deface websites, inject cryptocurrency miners, steal session cookies, or redirect users to phishing pages, damaging reputation and user trust.
If Mitigated
With proper user role management and content review, impact is limited to minor defacement or script injection that can be quickly detected and removed.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has contributor-level credentials. The vulnerability is well-documented and easy to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.6.5 and later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Jeg Elementor Kit' and click 'Update Now'. 4. Verify the plugin version is 2.6.5 or higher.
🔧 Temporary Workarounds
Restrict User Roles
allLimit contributor-level access to trusted users only and implement strict user role management.
Disable Banner Widget
allTemporarily disable the vulnerable JKit - Banner widget until patching is complete.
🧯 If You Can't Patch
- Implement strict content review processes for all user-generated content using the Banner widget.
- Use a web application firewall (WAF) with XSS protection rules to block malicious script injection attempts.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for Jeg Elementor Kit version. If version is 2.6.4 or lower, the site is vulnerable.Check Version:
wp plugin list --name=jeg-elementor-kit --field=version (if WP-CLI is installed)Verify Fix Applied:
After updating, verify the plugin version shows 2.6.5 or higher in the WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual content modifications in posts/pages using Banner widget
- Multiple failed login attempts followed by successful contributor-level login
- Suspicious script tags in page content
Network Indicators:
- Unexpected outbound connections from WordPress site to unknown domains
- Script injection patterns in HTTP requests to WordPress admin
SIEM Query:
source="wordpress.log" AND ("jkit-banner" OR "jeg-elementor-kit") AND ("script" OR "onerror" OR "javascript:")🔗 References
- https://plugins.trac.wordpress.org/browser/jeg-elementor-kit/tags/2.6.4/class/elements/views/class-banner-view.php#L55
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3077328%40jeg-elementor-kit&new=3077328%40jeg-elementor-kit&sfp_email=&sfph_mail=#file565
- https://www.wordfence.com/threat-intel/vulnerabilities/id/46868a11-0c82-4bd3-82b5-9a19a5a0cef1?source=cve
- https://plugins.trac.wordpress.org/browser/jeg-elementor-kit/tags/2.6.4/class/elements/views/class-banner-view.php#L55
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3077328%40jeg-elementor-kit&new=3077328%40jeg-elementor-kit&sfp_email=&sfph_mail=#file565
- https://www.wordfence.com/threat-intel/vulnerabilities/id/46868a11-0c82-4bd3-82b5-9a19a5a0cef1?source=cve
