CVE-2024-4156
📋 TL;DR
This stored XSS vulnerability in the Essential Addons for Elementor WordPress plugin allows authenticated attackers with contributor-level permissions or higher to inject malicious scripts into website pages. The scripts execute whenever users visit the compromised pages, potentially leading to session hijacking, credential theft, or malware distribution. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, install backdoors, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session cookies or credentials, perform phishing attacks, or deface website content.
If Mitigated
With proper input validation and output escaping, the vulnerability would be prevented, and only properly sanitized content would be displayed to users.
🎯 Exploit Status
Exploitation requires authenticated access with at least contributor permissions. The vulnerability is in a popular WordPress plugin, making it an attractive target.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.9.18 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3079406/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Essential Addons for Elementor'. 4. Click 'Update Now' if available. 5. Alternatively, download version 5.9.18+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Remove Contributor Access
allTemporarily remove contributor-level permissions from untrusted users until patching is complete.
Disable Event Calendar Element
allDisable the vulnerable Event Calendar element if not in use.
🧯 If You Can't Patch
- Implement strict user access controls and review all contributor-level accounts
- Deploy a web application firewall (WAF) with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Essential Addons for Elementor version. If version is 5.9.17 or lower, you are vulnerable.Check Version:
wp plugin list --name='essential-addons-for-elementor' --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 5.9.18 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to admin-ajax.php with eael_event_text_color parameter containing script tags
- Multiple failed login attempts followed by successful contributor-level login
Network Indicators:
- Unexpected JavaScript payloads in HTTP requests to WordPress endpoints
- Suspicious outbound connections from WordPress site after page visits
SIEM Query:
source="wordpress.log" AND ("eael_event_text_color" OR "Event_Calendar.php") AND ("<script>" OR "javascript:")🔗 References
- https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Elements/Event_Calendar.php#L3125
- https://plugins.trac.wordpress.org/changeset/3079406/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/23a66e6b-cec0-4110-9bef-a5d41ce1c954?source=cve
- https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Elements/Event_Calendar.php#L3125
- https://plugins.trac.wordpress.org/changeset/3079406/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/23a66e6b-cec0-4110-9bef-a5d41ce1c954?source=cve
