CVE-2024-39667 – This stored cross-site scripting (XSS) vulnerab... (How to Fix)

Q: What is the severity of CVE-2024-39667?

CVE-2024-39667 has a CVSS score of 6.5 (MEDIUM). This stored cross-site scripting (XSS) vulnerability in BdThemes Element Pack Elementor Addons allows attackers to inject malicious scripts into WordPress pages. When users view compromised pages, the scripts execute in their browsers, potentially stealing session cookies or performing actions on their behalf. All WordPress sites using vulnerable versions of this Elementor addon are affected.

📋 TL;DR

This stored cross-site scripting (XSS) vulnerability in BdThemes Element Pack Elementor Addons allows attackers to inject malicious scripts into WordPress pages. When users view compromised pages, the scripts execute in their browsers, potentially stealing session cookies or performing actions on their behalf. All WordPress sites using vulnerable versions of this Elementor addon are affected.

💻 Affected Systems

Products:

BdThemes Element Pack Elementor Addons

Versions: All versions through 5.6.11

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with Elementor and the vulnerable Element Pack addon installed.

📦 What is this software?

Element Pack by Bdthemes

View all CVEs affecting Element Pack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, take over WordPress sites, deface content, install backdoors, or redirect visitors to malicious sites.

🟠

Likely Case

Attackers inject malicious JavaScript to steal user session cookies, potentially compromising user accounts and performing unauthorized actions.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be neutralized before reaching users' browsers.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Stored XSS vulnerabilities are commonly exploited. Attackers need to inject malicious scripts through vulnerable input fields.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.6.12 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/bdthemes-element-pack-lite/wordpress-element-pack-elementor-addons-plugin-5-6-11-cross-site-scripting-xss-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Element Pack Elementor Addons'. 4. Click 'Update Now' if update available. 5. Alternatively, download latest version from WordPress repository and manually update.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the vulnerable plugin until patched

Content Security Policy (CSP)

all

Implement CSP headers to restrict script execution

Add to .htaccess: Header set Content-Security-Policy "script-src 'self'"
Add to wp-config.php: header("Content-Security-Policy: script-src 'self'");

🧯 If You Can't Patch

Disable or remove the Element Pack Elementor Addons plugin
Implement web application firewall (WAF) rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Installed Plugins for 'Element Pack Elementor Addons' version 5.6.11 or earlier

Check Version:

wp plugin list --name='Element Pack Elementor Addons' --field=version

Verify Fix Applied:

Verify plugin version is 5.6.12 or later in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to WordPress admin-ajax.php or admin-post.php with script tags
Multiple failed login attempts following suspicious content updates

Network Indicators:

Outbound connections to unknown domains from WordPress site
Unusual JavaScript payloads in HTTP requests

SIEM Query:

source="wordpress.log" AND ("<script>" OR "javascript:" OR "onload=" OR "onerror=")

📊 Metadata

CVE ID: CVE-2024-39667

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

Published: August 1, 2024

Last Updated: January 22, 2025

🔗 References

https://patchstack.com/database/vulnerability/bdthemes-element-pack-lite/wordpress-element-pack-elementor-addons-plugin-5-6-11-cross-site-scripting-xss-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39667, you might also want to check these: