CVE-2024-4485
📋 TL;DR
This stored XSS vulnerability in The Plus Addons for Elementor WordPress plugin allows authenticated attackers with contributor-level permissions or higher to inject malicious scripts into website pages. When users visit compromised pages, the scripts execute in their browsers, potentially stealing session cookies or performing unauthorized actions. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- The Plus Addons for Elementor WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Session hijacking, credential theft, or website defacement by malicious contributors or compromised accounts.
If Mitigated
Limited impact with proper user access controls and content security policies in place.
🎯 Exploit Status
Exploitation requires contributor-level WordPress access. The vulnerability is well-documented with code references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 5.5.3 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3083932
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'The Plus Addons for Elementor'. 4. Click 'Update Now' if available. 5. Alternatively, download version 5.5.3+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Remove Contributor Access
allTemporarily restrict contributor-level users from editing content until patched.
Content Security Policy
linuxImplement CSP headers to restrict script execution from untrusted sources.
Add to .htaccess: Header set Content-Security-Policy "script-src 'self'"
Add to nginx config: add_header Content-Security-Policy "script-src 'self'";
🧯 If You Can't Patch
- Disable the vulnerable plugin completely
- Implement web application firewall rules to block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins. Look for 'The Plus Addons for Elementor' version 5.5.2 or earlier.Check Version:
wp plugin list --name='the-plus-addons-for-elementor' --field=versionVerify Fix Applied:
Confirm plugin version is 5.5.3 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin with button_custom_attributes parameter
- Multiple page edits by contributor-level users
Network Indicators:
- Script tags with unusual attributes in page responses
- External script loads from unexpected domains
SIEM Query:
source="wordpress.log" AND "button_custom_attributes" AND ("POST" OR "UPDATE")🔗 References
- https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/5.5.2/modules/widgets/tp_button.php#L1538
- https://plugins.trac.wordpress.org/changeset/3083932
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4890cd48-a448-4af1-ae1e-6456300434e5?source=cve
- https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/5.5.2/modules/widgets/tp_button.php#L1538
- https://plugins.trac.wordpress.org/changeset/3083932
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4890cd48-a448-4af1-ae1e-6456300434e5?source=cve
