CVE-2024-4983
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to inject malicious scripts into web pages using the The Plus Addons for Elementor plugin. When other users visit pages containing these injected scripts, the scripts execute in their browsers, potentially stealing session cookies or performing unauthorized actions. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over WordPress sites, deface websites, redirect users to malicious sites, or deploy malware to visitors' browsers.
Likely Case
Attackers with contributor accounts inject malicious scripts that steal user session data or perform unauthorized actions on behalf of users visiting compromised pages.
If Mitigated
With proper input validation and output escaping, malicious scripts would be neutralized before reaching users' browsers, preventing execution.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once an attacker has contributor-level credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.6.1 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3107776/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'The Plus Addons for Elementor'. 4. Click 'Update Now' if available. 5. Alternatively, download version 5.6.1+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Temporarily disable vulnerable widget
allDisable the TP Video Player widget in Elementor settings to prevent exploitation via the vulnerable parameter.
Restrict user roles
allTemporarily remove Contributor-level access for untrusted users until patching is complete.
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution sources
- Use web application firewall (WAF) rules to block XSS payloads targeting the video_color parameter
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'The Plus Addons for Elementor' version. If version is 5.6.0 or lower, you are vulnerable.Check Version:
wp plugin list --name='the-plus-addons-for-elementor' --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 5.6.1 or higher in WordPress admin plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin containing video_color parameter with script tags
- Multiple failed login attempts followed by successful contributor-level login
Network Indicators:
- HTTP requests with suspicious payloads in video_color parameter
- Outbound connections to unknown domains from your WordPress site
SIEM Query:
source="wordpress.log" AND ("video_color" AND ("<script>" OR "javascript:" OR "onerror="))🔗 References
- https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/5.5.3/modules/widgets/tp_video_player.php#L1302
- https://plugins.trac.wordpress.org/changeset/3107776/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e3f0a20b-d572-4040-b5b6-ede0aec4e2b0?source=cve
- https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/5.5.3/modules/widgets/tp_video_player.php#L1302
- https://plugins.trac.wordpress.org/changeset/3107776/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e3f0a20b-d572-4040-b5b6-ede0aec4e2b0?source=cve
