CVE-2024-5188
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to inject malicious scripts into web pages via the Essential Addons for Elementor plugin. The scripts execute whenever users visit the compromised pages, enabling attackers to steal session cookies, redirect users, or perform other malicious actions. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over websites, redirect visitors to malicious sites, or deploy malware to site visitors' browsers.
Likely Case
Attackers with contributor accounts inject malicious scripts to steal user session data, display fraudulent content, or redirect users to phishing pages.
If Mitigated
With proper user access controls and input validation, the impact is limited to potential data exposure from compromised contributor accounts.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once an attacker has contributor-level credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.9.23 or later
Vendor Advisory: https://wordpress.org/plugins/essential-addons-for-elementor-lite/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Essential Addons for Elementor'. 4. Click 'Update Now' if available. 5. Alternatively, download version 5.9.23+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate essential-addons-for-elementor-lite
Restrict User Roles
linuxTemporarily remove contributor-level access for untrusted users
wp user list --role=contributor --field=ID | xargs wp user set-role subscriber
🧯 If You Can't Patch
- Implement strict input validation and output escaping in custom code
- Use web application firewall rules to block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed PluginsCheck Version:
wp plugin get essential-addons-for-elementor-lite --field=versionVerify Fix Applied:
Verify plugin version is 5.9.23 or higher and test calendar functionality📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to event calendar endpoints
- Suspicious JavaScript in database content fields
Network Indicators:
- Unexpected script tags in HTTP responses from calendar pages
SIEM Query:
source="wordpress.log" AND "event_calendar" AND ("script" OR "javascript" OR "onload")🔗 References
- https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Elements/Event_Calendar.php#L3255
- https://plugins.trac.wordpress.org/changeset/3097900/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5a1d5fd1-80b6-4d62-9837-59ee1e020373?source=cve
- https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Elements/Event_Calendar.php#L3255
- https://plugins.trac.wordpress.org/changeset/3097900/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5a1d5fd1-80b6-4d62-9837-59ee1e020373?source=cve
