CVE-2024-4107
📋 TL;DR
This stored XSS vulnerability in Elementor Pro plugin allows authenticated attackers with contributor-level permissions or higher to inject malicious scripts into WordPress pages. When users visit compromised pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. This affects WordPress sites using Elementor Pro version 3.21.0 or earlier.
💻 Affected Systems
- Elementor Website Builder – More than Just a Page Builder Pro
📦 What is this software?
Website Builder by Elementor
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or perform actions as authenticated users, potentially leading to complete site compromise.
Likely Case
Attackers with contributor access inject malicious scripts that steal user session cookies or credentials when visitors access affected pages, leading to account takeover.
If Mitigated
With proper input validation and output escaping, the vulnerability is prevented, and only trusted content is displayed to users.
🎯 Exploit Status
Exploitation requires authenticated access with contributor permissions or higher. The vulnerability is in multiple parameters with insufficient sanitization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.21.1 or later
Vendor Advisory: https://elementor.com/help/security-advisory/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Elementor Pro and click 'Update Now'. 4. Verify update to version 3.21.1 or higher.
🔧 Temporary Workarounds
Restrict User Permissions
allTemporarily limit contributor-level permissions or review user roles to minimize attack surface.
Content Security Policy (CSP)
linuxImplement CSP headers to restrict script execution sources.
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to nginx config: add_header Content-Security-Policy "default-src 'self'; script-src 'self'";
🧯 If You Can't Patch
- Disable or remove the Elementor Pro plugin until patched.
- Implement web application firewall (WAF) rules to block XSS payloads in plugin parameters.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Elementor Pro version. If version is 3.21.0 or lower, the site is vulnerable.Check Version:
wp plugin list --name=elementor-pro --field=versionVerify Fix Applied:
After updating, verify Elementor Pro version is 3.21.1 or higher in WordPress admin → Plugins.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to Elementor endpoints with script tags in parameters
- Multiple failed login attempts followed by contributor-level access
Network Indicators:
- Inbound requests containing JavaScript payloads in Elementor parameters
- Outbound connections to suspicious domains after page visits
SIEM Query:
source="wordpress.log" AND ("elementor" AND ("<script>" OR "javascript:" OR "onerror="))🔗 References
- https://doc.clickup.com/9011113249/d/h/8chnb91-5091/3951e6f2afbd388
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0d5d47bd-4f05-4dc7-84c1-f7bc1196ee16?source=cve
- https://doc.clickup.com/9011113249/d/h/8chnb91-5091/3951e6f2afbd388
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0d5d47bd-4f05-4dc7-84c1-f7bc1196ee16?source=cve
