CVE-2024-4482
📋 TL;DR
This vulnerability allows authenticated attackers with contributor-level access or higher to inject malicious scripts into WordPress pages using the The Plus Addons for Elementor plugin's Countdown widget. The scripts execute whenever users view the compromised pages, enabling session hijacking, credential theft, or website defacement. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over the WordPress site, install backdoors, redirect visitors to malicious sites, or use the compromised site to attack visitors' browsers.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session cookies, display fraudulent content, or redirect users to phishing pages.
If Mitigated
With proper user role management and input validation, the attack surface is limited to trusted contributors, reducing the likelihood of exploitation.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once an attacker has contributor privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.6.2 or later
Vendor Advisory: https://wordpress.org/plugins/the-plus-addons-for-elementor-page-builder/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'The Plus Addons for Elementor'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 5.6.2+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Remove Contributor Access
allTemporarily restrict contributor-level user creation and review existing contributors.
Disable Countdown Widget
allRemove or disable the vulnerable Countdown widget from all pages.
🧯 If You Can't Patch
- Implement strict user role management: only grant contributor access to trusted users and regularly audit contributor accounts.
- Install a web application firewall (WAF) with XSS protection rules to block malicious script injection attempts.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → The Plus Addons for Elementor version. If version is 5.6.1 or lower, you are vulnerable.Check Version:
wp plugin list --name='the-plus-addons-for-elementor-page-builder' --field=version (if WP-CLI is installed)Verify Fix Applied:
After updating, verify the plugin version is 5.6.2 or higher in the WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual contributor account activity
- Multiple failed login attempts to contributor accounts
- POST requests to wp-admin with suspicious script tags in parameters
Network Indicators:
- Unexpected script tags in HTTP responses from WordPress pages
- External JavaScript loading from unusual domains
SIEM Query:
source="wordpress.log" AND ("tp_countdown" OR "text_days") AND ("script" OR "onerror" OR "javascript:")🔗 References
- https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/5.5.1/modules/widgets/tp_countdown.php#L1945
- https://wordpress.org/plugins/the-plus-addons-for-elementor-page-builder/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/25e42bf8-794e-46a5-b7db-f1f8802bba00?source=cve
- https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/5.5.1/modules/widgets/tp_countdown.php#L1945
- https://wordpress.org/plugins/the-plus-addons-for-elementor-page-builder/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/25e42bf8-794e-46a5-b7db-f1f8802bba00?source=cve
