Login Sign Up

CVE-2024-4866

6.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into website pages using the UltraAddons plugin. The stored XSS payload executes whenever users visit compromised pages, potentially affecting all visitors. The issue affects all versions up to 1.1.6 due to insufficient input sanitization in multiple widgets.

💻 Affected Systems

Products:
  • UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS, Woo Widget, Menu Builder, Anywhere Elementor Shortcode)
Versions: All versions up to and including 1.1.6
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress with UltraAddons plugin installed. Contributor-level or higher access needed for exploitation.

📦 What is this software?

Ultraaddons by Codeastrology

View all CVEs affecting Ultraaddons →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, deface websites, or perform actions on behalf of authenticated users, potentially leading to full site compromise.

🟠

Likely Case

Attackers with contributor access inject malicious scripts that steal user session data or redirect visitors to phishing sites, compromising user accounts and site integrity.

🟢

If Mitigated

With proper user role management and content review processes, impact is limited to potential defacement of specific pages rather than widespread compromise.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward once attacker has contributor privileges. Multiple widget entry points increase attack surface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.7 or later

Vendor Advisory: https://wordpress.org/plugins/ultraaddons-elementor-lite/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find UltraAddons – Elementor Addons
4. Click 'Update Now' if update available
5. If no update appears, manually download version 1.1.7+ from WordPress repository
6. Deactivate old plugin, upload new version via FTP or admin panel
7. Reactivate plugin

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the vulnerable plugin until patched version is available

wp plugin deactivate ultraaddons-elementor-lite

User Role Restriction

all

Temporarily restrict contributor-level users from editing content

Use WordPress role management plugins or custom code to modify capabilities

🧯 If You Can't Patch

  • Remove contributor-level access for untrusted users
  • Implement web application firewall with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → UltraAddons plugin version. If version is 1.1.6 or lower, system is vulnerable.

Check Version:

wp plugin get ultraaddons-elementor-lite --field=version

Verify Fix Applied:

Verify plugin version is 1.1.7 or higher in WordPress admin panel. Test widget functionality remains intact.

📡 Detection & Monitoring

Log Indicators:

  • Unusual content modifications by contributor-level users
  • Multiple widget updates in short timeframe
  • POST requests to widget endpoints with script-like payloads

Network Indicators:

  • Inbound requests containing script tags in widget parameters
  • Outbound connections to suspicious domains from previously normal pages

SIEM Query:

source="wordpress" AND (event_type="plugin_update" AND plugin_name="ultraaddons*" AND version<="1.1.6") OR (event_type="content_edit" AND user_role="contributor" AND content CONTAINS "<script>")

📊 Metadata

CVE ID: CVE-2024-4866
CVSS v3 Score: 6.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: July 10, 2024
Last Updated: February 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4866, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)