CVE-2024-4212
📋 TL;DR
The Themesflat Addons For Elementor WordPress plugin has a stored cross-site scripting (XSS) vulnerability that allows authenticated attackers with contributor-level access or higher to inject malicious scripts into website pages. These scripts execute whenever users visit the compromised pages, potentially stealing credentials or performing unauthorized actions. This affects all WordPress sites using the plugin version 2.1.1 or earlier.
💻 Affected Systems
- Themesflat Addons For Elementor WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over the WordPress site, install backdoors, deface the website, or redirect visitors to malicious sites.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session cookies, perform actions as other users, or display phishing content.
If Mitigated
With proper user role management and content security policies, impact is limited to data exposure from affected user sessions.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has contributor privileges. The vulnerability is in multiple widget components.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.2 or later
Vendor Advisory: https://wordpress.org/plugins/themesflat-addons-for-elementor/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'Themesflat Addons For Elementor'. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 2.1.2+ from WordPress.org and replace the plugin files.
🔧 Temporary Workarounds
Remove Contributor Access
allTemporarily remove contributor-level access for untrusted users until patching is complete.
Disable Vulnerable Widgets
allDisable the TF Group Image, TF Nav Menu, TF Posts, TF Woo Product Grid, TF Accordion, and TF Image Box widgets in Elementor settings.
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Use web application firewall (WAF) rules to block XSS payloads in widget parameters
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Themesflat Addons For Elementor' version. If version is 2.1.1 or lower, you are vulnerable.Check Version:
wp plugin list --name=themesflat-addons-for-elementor --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 2.1.2 or higher in the WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to Elementor widget endpoints with script tags in parameters
- Multiple failed login attempts followed by successful contributor-level login
Network Indicators:
- Outbound connections to suspicious domains from your WordPress site
- Unexpected JavaScript loading from your site's pages
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path="/wp-json/") AND (param_name="widget" OR param_name="elementor") AND (param_value CONTAINS "<script>" OR param_value CONTAINS "javascript:")🔗 References
- https://plugins.trac.wordpress.org/browser/themesflat-addons-for-elementor/trunk/widgets/widget-accordion.php#L1158
- https://plugins.trac.wordpress.org/browser/themesflat-addons-for-elementor/trunk/widgets/widget-clipping-mask.php#L619
- https://plugins.trac.wordpress.org/browser/themesflat-addons-for-elementor/trunk/widgets/widget-imagebox.php#L1313
- https://plugins.trac.wordpress.org/browser/themesflat-addons-for-elementor/trunk/widgets/widget-navmenu.php#L1843
- https://plugins.trac.wordpress.org/browser/themesflat-addons-for-elementor/trunk/widgets/widget-posts.php#L3350
- https://plugins.trac.wordpress.org/browser/themesflat-addons-for-elementor/trunk/widgets/widget-tfgroupimage.php#L423
- https://plugins.trac.wordpress.org/browser/themesflat-addons-for-elementor/trunk/widgets/widget-woo-product-grid.php#L3646
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3099056%40themesflat-addons-for-elementor&old=3097003%40themesflat-addons-for-elementor&sfp_email=&sfph_mail=#file25
- https://wordpress.org/plugins/themesflat-addons-for-elementor/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/dc686a35-4ce3-4359-a7d3-e6459e2f5dfe?source=cve
- https://plugins.trac.wordpress.org/browser/themesflat-addons-for-elementor/trunk/widgets/widget-accordion.php#L1158
- https://plugins.trac.wordpress.org/browser/themesflat-addons-for-elementor/trunk/widgets/widget-clipping-mask.php#L619
- https://plugins.trac.wordpress.org/browser/themesflat-addons-for-elementor/trunk/widgets/widget-imagebox.php#L1313
- https://plugins.trac.wordpress.org/browser/themesflat-addons-for-elementor/trunk/widgets/widget-navmenu.php#L1843
- https://plugins.trac.wordpress.org/browser/themesflat-addons-for-elementor/trunk/widgets/widget-posts.php#L3350
- https://plugins.trac.wordpress.org/browser/themesflat-addons-for-elementor/trunk/widgets/widget-tfgroupimage.php#L423
- https://plugins.trac.wordpress.org/browser/themesflat-addons-for-elementor/trunk/widgets/widget-woo-product-grid.php#L3646
- https://wordpress.org/plugins/themesflat-addons-for-elementor/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/dc686a35-4ce3-4359-a7d3-e6459e2f5dfe?source=cve
