CVE-2024-3885
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into web pages using the Premium Addons for Elementor plugin. The stored XSS payload executes whenever users visit compromised pages, potentially stealing credentials or performing unauthorized actions. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Premium Addons for Elementor WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or perform actions as authenticated users, potentially leading to complete site compromise.
Likely Case
Attackers with contributor access inject malicious scripts that steal user session cookies or credentials when visitors access affected pages.
If Mitigated
With proper user role management and input validation, impact is limited to low-privilege content manipulation by authorized users.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is publicly documented with technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.10.29 and later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Premium Addons for Elementor'. 4. Click 'Update Now' if available. 5. Alternatively, download version 4.10.29+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Temporarily disable plugin
allDisable the vulnerable plugin until patched, though this may break site functionality.
wp plugin deactivate premium-addons-for-elementor
Restrict user roles
linuxTemporarily remove contributor and author roles or limit their capabilities.
wp user list --role=contributor --field=ID | xargs wp user set-role subscriber
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
- Add web application firewall rules to block suspicious subcontainer parameter values
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 4.10.28 or lower, you are vulnerable.Check Version:
wp plugin get premium-addons-for-elementor --field=versionVerify Fix Applied:
Verify plugin version is 4.10.29 or higher. Test subcontainer parameter inputs are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to admin-ajax.php with subcontainer parameters
- Multiple page edits by contributor-level users in short time
Network Indicators:
- Script tags with unusual attributes in page responses
- External script loads from unexpected domains
SIEM Query:
source="wordpress.log" AND "subcontainer" AND ("script" OR "onload" OR "onerror")🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3075668%40premium-addons-for-elementor%2Ftrunk&old=3066988%40premium-addons-for-elementor%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4111ba11-ad79-466a-9669-3c35730a331a?source=cve
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3075668%40premium-addons-for-elementor%2Ftrunk&old=3066988%40premium-addons-for-elementor%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4111ba11-ad79-466a-9669-3c35730a331a?source=cve
