CVE-2024-3926
📋 TL;DR
This stored XSS vulnerability in the Element Pack Elementor Addons WordPress plugin allows authenticated attackers with contributor-level access or higher to inject malicious scripts into website pages. The scripts execute whenever users visit compromised pages, potentially stealing credentials or performing unauthorized actions. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Element Pack Elementor Addons WordPress plugin
📦 What is this software?
Element Pack by Bdthemes
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session cookies or perform limited unauthorized actions.
If Mitigated
With proper user access controls and content security policies, impact is limited to isolated script execution without data compromise.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. Public proof-of-concept exists in vulnerability references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.6.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3066178
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Element Pack Elementor Addons'. 4. Click 'Update Now' if available. 5. Alternatively, download version 5.6.2+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Restrict User Roles
allTemporarily restrict contributor-level access or review user permissions
Implement Content Security Policy
allAdd CSP headers to limit script execution sources
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or add to WordPress functions.php: header("Content-Security-Policy: default-src 'self'; script-src 'self'");
🧯 If You Can't Patch
- Disable the Element Pack plugin entirely until patched
- Implement web application firewall rules to block suspicious script injection patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Element Pack Elementor Addons → Version. If version is 5.6.1 or lower, you are vulnerable.Check Version:
wp plugin list --name="Element Pack Elementor Addons" --field=versionVerify Fix Applied:
After updating, verify plugin version shows 5.6.2 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to widget update endpoints
- Suspicious script tags in custom_attributes parameters
- Multiple failed login attempts followed by contributor-level access
Network Indicators:
- Unexpected script sources loading on WordPress pages
- Suspicious outbound connections from WordPress site
SIEM Query:
source="wordpress.log" AND ("custom_attributes" OR "element-pack") AND ("script" OR "javascript:" OR "onclick")🔗 References
- https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/tags/5.6.0/modules/creative-button/widgets/creative-button.php#L648
- https://plugins.trac.wordpress.org/changeset/3066178
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f931cf8e-01dd-4f0b-ac86-6e0654fd1597?source=cve
- https://plugins.trac.wordpress.org/browser/bdthemes-element-pack-lite/tags/5.6.0/modules/creative-button/widgets/creative-button.php#L648
- https://plugins.trac.wordpress.org/changeset/3066178
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f931cf8e-01dd-4f0b-ac86-6e0654fd1597?source=cve
