CVE-2024-4401
📋 TL;DR
The Elementor Addon Elements WordPress plugin has a stored XSS vulnerability in versions up to 1.13.5. Authenticated attackers with contributor-level access or higher can inject malicious scripts via 'id' and 'eae_slider_animation' parameters, which execute when users view compromised pages. This affects all WordPress sites using the vulnerable plugin.
💻 Affected Systems
- Elementor Addon Elements for WordPress
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin credentials, redirect users to malicious sites, deface websites, or install backdoors for persistent access.
Likely Case
Attackers inject malicious scripts to steal user session cookies, redirect visitors to phishing sites, or display unwanted content.
If Mitigated
With proper user access controls and content security policies, impact is limited to potential defacement of specific pages.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once attacker has contributor privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.13.6 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3107074
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Addon Elements for Elementor'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.13.6+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate addon-elements-for-elementor-page-builder
Restrict User Roles
allTemporarily remove contributor and author roles or limit their capabilities
wp user list --role=contributor --field=ID
wp user set-role <user_id> subscriber
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Use web application firewall (WAF) rules to block XSS payloads in plugin parameters
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is 1.13.5 or lower, you are vulnerable.Check Version:
wp plugin get addon-elements-for-elementor-page-builder --field=versionVerify Fix Applied:
Verify plugin version is 1.13.6 or higher. Test parameter inputs with basic XSS payloads to confirm sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to plugin endpoints with script tags in parameters
- Multiple failed login attempts followed by successful contributor login
Network Indicators:
- Outbound connections to suspicious domains from your WordPress site
- Unexpected iframe or script injections in page responses
SIEM Query:
source="wordpress.log" AND ("addon-elements" OR "eae_slider_animation") AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")🔗 References
- https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/animated-text/widgets/animated-text.php#L358
- https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/trunk/modules/bg-slider/module.php#L284
- https://plugins.trac.wordpress.org/changeset/3107074#file6
- https://plugins.trac.wordpress.org/changeset/3107074#file7
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ecfc1466-41d2-498b-8210-c67e8550f5b8?source=cve
