CVE-2024-47396
📋 TL;DR
This stored XSS vulnerability in the Move Addons for Elementor WordPress plugin allows attackers to inject malicious scripts into web pages. When users view pages containing the injected scripts, the attacker can steal session cookies, redirect users, or perform actions on their behalf. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Move Addons for Elementor WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over the WordPress site, install backdoors, deface the site, or use it as a platform for further attacks against visitors.
Likely Case
Attackers inject malicious JavaScript to steal user session cookies, redirect users to phishing sites, or perform actions in the context of logged-in users.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized before reaching users, preventing exploitation.
🎯 Exploit Status
Stored XSS vulnerabilities are commonly exploited. Attackers need contributor-level access or higher to inject scripts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.4 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Move Addons for Elementor'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.3.4+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the Move Addons plugin until patched
wp plugin deactivate move-addons
Implement Content Security Policy
allAdd CSP headers to restrict script execution sources
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or add to wp-config.php: header("Content-Security-Policy: default-src 'self'; script-src 'self'");
🧯 If You Can't Patch
- Remove the Move Addons plugin entirely and use alternative Elementor addons
- Implement web application firewall (WAF) rules to block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Move Addons for Elementor' versionCheck Version:
wp plugin get move-addons --field=versionVerify Fix Applied:
Verify plugin version is 1.3.4 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to plugin endpoints
- Suspicious JavaScript in database content fields
- Multiple failed authentication attempts followed by successful contributor/admin login
Network Indicators:
- Outbound connections to suspicious domains from your WordPress site
- Unexpected redirects from your site
SIEM Query:
source="wordpress.log" AND ("move-addons" OR "move_addons") AND (POST OR PUT) AND (script OR javascript OR onload OR onerror)