CVE-2024-5001
📋 TL;DR
This stored XSS vulnerability in the Image Hover Effects for Elementor WordPress plugin allows authenticated attackers with Contributor access or higher to inject malicious scripts into website pages. When users visit compromised pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. All WordPress sites using this plugin up to version 3.0.2 are affected.
💻 Affected Systems
- Image Hover Effects for Elementor with Lightbox and Flipbox WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers inject malicious scripts to steal user session cookies, perform actions as authenticated users, or display phishing content.
If Mitigated
With proper input validation and output escaping, the vulnerability is prevented, and only authorized users can modify plugin content.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has Contributor privileges. The vulnerability is well-documented with specific parameter names identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.0.3 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/image-hover-effects-with-carousel/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Image Hover Effects for Elementor'. 4. Click 'Update Now' if available. 5. If no update appears, download version 3.0.3+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Remove Contributor Access
allTemporarily restrict Contributor-level user access until patching is complete.
Disable Vulnerable Plugin
linuxDeactivate the plugin if not essential for site functionality.
wp plugin deactivate image-hover-effects-with-carousel
🧯 If You Can't Patch
- Implement strict user access controls and audit Contributor-level accounts
- Deploy web application firewall (WAF) rules to block XSS payloads targeting the vulnerable parameters
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Image Hover Effects for Elementor' version 3.0.2 or lower.Check Version:
wp plugin get image-hover-effects-with-carousel --field=versionVerify Fix Applied:
Confirm plugin version is 3.0.3 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin containing '_id', 'oxi_addons_f_title_tag', or 'content_description_tag' parameters with script tags
- Multiple failed login attempts followed by successful Contributor-level access
Network Indicators:
- HTTP requests with JavaScript payloads in the vulnerable parameters
- Unexpected outbound connections from WordPress site to external domains
SIEM Query:
source="wordpress.log" AND ("_id=" OR "oxi_addons_f_title_tag=" OR "content_description_tag=") AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")🔗 References
- https://plugins.trac.wordpress.org/browser/image-hover-effects-with-carousel/trunk/Modules/Caption/Caption.php#L2622
- https://plugins.trac.wordpress.org/browser/image-hover-effects-with-carousel/trunk/Modules/Flipbox/Flipbox.php#L3211
- https://plugins.trac.wordpress.org/browser/image-hover-effects-with-carousel/trunk/Modules/Image/Data.php#L2838
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6c384f05-96dd-47bb-822d-16212527091a?source=cve
- https://plugins.trac.wordpress.org/browser/image-hover-effects-with-carousel/trunk/Modules/Caption/Caption.php#L2622
- https://plugins.trac.wordpress.org/browser/image-hover-effects-with-carousel/trunk/Modules/Flipbox/Flipbox.php#L3211
- https://plugins.trac.wordpress.org/browser/image-hover-effects-with-carousel/trunk/Modules/Image/Data.php#L2838
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6c384f05-96dd-47bb-822d-16212527091a?source=cve
