CVE-2024-4003
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into web pages using the Essential Addons for Elementor plugin. The stored XSS payload executes whenever users visit compromised pages, potentially leading to session hijacking, credential theft, or malware distribution. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, install backdoors, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Attackers with contributor access inject malicious scripts that steal user session cookies or credentials, potentially gaining elevated privileges or compromising user accounts.
If Mitigated
With proper user role management and content review processes, the impact is limited to potential defacement or limited data exposure from lower-privileged accounts.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is in a popular WordPress plugin making it an attractive target.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.9.16 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Essential Addons for Elementor'. 4. Click 'Update Now' if available. 5. Alternatively, download version 5.9.16+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable Team Members Widget
allTemporarily disable the vulnerable widget until patching is complete
Navigate to Elementor → Essential Addons → Elements → Disable 'Team Members' widget
Restrict Contributor Permissions
allTemporarily remove contributor access or limit widget usage permissions
Use WordPress role management plugins to restrict contributor capabilities
🧯 If You Can't Patch
- Implement strict user role management and review all contributor-submitted content
- Deploy web application firewall (WAF) rules to detect and block XSS payloads targeting the eael_team_members_image_rounded parameter
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Essential Addons for Elementor version. If version is 5.9.15 or lower, you are vulnerable.Check Version:
wp plugin list --name='essential-addons-for-elementor-lite' --field=versionVerify Fix Applied:
Verify plugin version is 5.9.16 or higher. Test Team Members widget functionality to ensure it works without security warnings.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin/admin-ajax.php with eael_team_members_image_rounded parameter containing script tags
- Multiple failed login attempts followed by successful contributor login
Network Indicators:
- Outbound connections to suspicious domains from your WordPress site
- Unexpected JavaScript payloads in page responses
SIEM Query:
source="wordpress.log" AND ("eael_team_members_image_rounded" AND ("script" OR "javascript" OR "onerror"))🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3075644%40essential-addons-for-elementor-lite%2Ftrunk&old=3067596%40essential-addons-for-elementor-lite%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1cf3190c-e247-4bcc-99e0-2ab2d2fa0590?source=cve
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3075644%40essential-addons-for-elementor-lite%2Ftrunk&old=3067596%40essential-addons-for-elementor-lite%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1cf3190c-e247-4bcc-99e0-2ab2d2fa0590?source=cve
