CVE-2024-4580
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level permissions or higher to inject malicious scripts into website pages through the Master Addons plugin. The injected scripts execute whenever users view the compromised pages, enabling attackers to steal session cookies, redirect users, or deface websites. All WordPress sites using Master Addons plugin versions up to 2.0.6.0 are affected.
💻 Affected Systems
- Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor WordPress plugin
📦 What is this software?
Master Addons by Master Addons
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain full administrative access, install backdoors, deface websites, or redirect users to malicious sites, potentially leading to complete site compromise and data theft.
Likely Case
Attackers with contributor accounts inject malicious scripts to steal user session cookies, perform phishing attacks, or deface specific pages, potentially compromising user accounts and damaging site reputation.
If Mitigated
With proper user access controls and content review processes, the impact is limited to potential page defacement or minor script injection that can be quickly detected and removed.
🎯 Exploit Status
Exploitation requires authenticated access with contributor permissions. Public proof-of-concept exists in vulnerability reports and code changesets.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.0.6.1 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3087193/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Master Addons for Elementor'. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the Master Addons plugin until patched to prevent exploitation
wp plugin deactivate master-addons
User Role Restriction
allTemporarily restrict contributor-level users from editing posts/pages
Use WordPress role management plugins or custom code to modify capabilities
🧯 If You Can't Patch
- Implement strict user access controls and review all content from contributor-level users
- Deploy web application firewall (WAF) rules to detect and block XSS payloads in plugin parameters
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins, find Master Addons, verify version is 2.0.6.0 or lowerCheck Version:
wp plugin get master-addons --field=versionVerify Fix Applied:
After updating, verify Master Addons plugin version is 2.0.6.1 or higher in WordPress plugins list📡 Detection & Monitoring
Log Indicators:
- Unusual post/page edits from contributor accounts
- Script tags containing malicious code in post content
- Multiple failed login attempts followed by successful contributor login
Network Indicators:
- Outbound connections to suspicious domains from your website
- Unexpected script loads in page responses
SIEM Query:
source="wordpress.log" AND ("master-addons" OR "ma-image-hover-effects" OR "ma-tabs") AND ("script" OR "onerror" OR "javascript:")🔗 References
- https://plugins.trac.wordpress.org/browser/master-addons/trunk/addons/ma-image-hover-effects/ma-image-hover-effects.php#L1546
- https://plugins.trac.wordpress.org/browser/master-addons/trunk/addons/ma-tabs/ma-tabs.php#L1068
- https://plugins.trac.wordpress.org/changeset/3087193/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e3e3ac84-dd82-42b0-80b9-c876731170d5?source=cve
- https://plugins.trac.wordpress.org/browser/master-addons/trunk/addons/ma-image-hover-effects/ma-image-hover-effects.php#L1546
- https://plugins.trac.wordpress.org/browser/master-addons/trunk/addons/ma-tabs/ma-tabs.php#L1068
- https://plugins.trac.wordpress.org/changeset/3087193/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e3e3ac84-dd82-42b0-80b9-c876731170d5?source=cve
