CVE-2024-4489
📋 TL;DR
The Royal Elementor Addons and Templates WordPress plugin has a stored XSS vulnerability that allows authenticated attackers with contributor-level permissions or higher to inject malicious scripts into web pages. These scripts execute when users visit the compromised pages, potentially leading to session hijacking, defacement, or malware distribution. WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Royal Elementor Addons and Templates WordPress plugin
📦 What is this software?
Royal Elementor Addons by Royal Elementor Addons
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over the WordPress site, install backdoors, redirect users to malicious sites, or deploy ransomware payloads to visitors.
Likely Case
Attackers inject malicious JavaScript to steal user session cookies, redirect users to phishing pages, or deface website content.
If Mitigated
With proper input validation and output escaping, the vulnerability would be prevented, and only sanitized content would be displayed to users.
🎯 Exploit Status
Exploitation requires authenticated access with contributor permissions or higher. The vulnerability is in the 'custom_upload_mimes' function with insufficient sanitization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.977 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3097775/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Royal Elementor Addons and Templates'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.3.977+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate royal-elementor-addons
Restrict User Roles
allTemporarily remove contributor and author roles or limit permissions
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with XSS protection rules
- Regularly audit user accounts and remove unnecessary contributor/author permissions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Royal Elementor Addons and Templates → Version number. If version ≤ 1.3.976, you are vulnerable.Check Version:
wp plugin get royal-elementor-addons --field=versionVerify Fix Applied:
After updating, confirm plugin version is 1.3.977 or higher in WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to admin-ajax.php or admin pages with script tags
- Multiple failed login attempts followed by successful contributor-level login
Network Indicators:
- Unexpected JavaScript payloads in HTTP requests to WordPress admin endpoints
- Suspicious file uploads with script content
SIEM Query:
source="wordpress.log" AND ("custom_upload_mimes" OR "royal-elementor" OR "templates-kit.php") AND ("script" OR "javascript" OR "onload=")🔗 References
- https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.3.973/admin/templates-kit.php#L896
- https://plugins.trac.wordpress.org/changeset/3097775/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/57bf222b-5f49-46e2-be84-3e6444807096?source=cve
- https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.3.973/admin/templates-kit.php#L896
- https://plugins.trac.wordpress.org/changeset/3097775/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/57bf222b-5f49-46e2-be84-3e6444807096?source=cve
