CVE-2024-5327
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to inject malicious JavaScript into pages using the PowerPack Addons for Elementor plugin. The injected scripts execute whenever other users view the compromised pages, enabling session hijacking, defacement, or credential theft. All WordPress sites using PowerPack Addons for Elementor versions up to 2.7.19 are affected.
💻 Affected Systems
- PowerPack Addons for Elementor (Free Widgets, Extensions and Templates)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over the WordPress site, install backdoors, or redirect visitors to malicious sites, potentially leading to complete site compromise and data breaches.
Likely Case
Attackers with contributor access inject malicious scripts to steal user sessions, deface pages, or redirect users to phishing sites, causing reputation damage and potential credential theft.
If Mitigated
With proper user access controls and content security policies, impact is limited to defacement of specific pages without broader site compromise.
🎯 Exploit Status
Exploitation requires authenticated access (Contributor role or higher). The vulnerability is well-documented with public proof-of-concept available in the references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.20 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3094253/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'PowerPack Addons for Elementor'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.7.20+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDeactivate the PowerPack Addons for Elementor plugin until patched
wp plugin deactivate powerpack-lite-for-elementor
Restrict User Roles
allTemporarily remove Contributor and Author roles or restrict their capabilities
Use WordPress role management plugins or functions.php modifications
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Regularly audit user accounts and remove unnecessary Contributor/Author roles
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → PowerPack Addons for Elementor version. If version is 2.7.19 or lower, you are vulnerable.Check Version:
wp plugin get powerpack-lite-for-elementor --field=versionVerify Fix Applied:
Verify plugin version is 2.7.20 or higher in WordPress admin panel. Check that the 'pp_animated_gradient_bg_color' parameter is properly sanitized in the code.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to pages with 'pp_animated_gradient_bg_color' parameter
- Multiple failed login attempts followed by successful Contributor-level login
- Unexpected JavaScript injection in page content
Network Indicators:
- Suspicious outbound connections from WordPress site after page views
- Unexpected redirects from legitimate pages
SIEM Query:
source="wordpress" AND (uri="*pp_animated_gradient_bg_color*" OR message="*XSS*" OR message="*script injection*")🔗 References
- https://plugins.trac.wordpress.org/browser/powerpack-lite-for-elementor/tags/2.7.19/extensions/animated-gradient-background.php#L322
- https://plugins.trac.wordpress.org/changeset/3094253/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5618fdfc-636f-452b-80e1-5182b068d1c6?source=cve
- https://plugins.trac.wordpress.org/browser/powerpack-lite-for-elementor/tags/2.7.19/extensions/animated-gradient-background.php#L322
- https://plugins.trac.wordpress.org/changeset/3094253/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5618fdfc-636f-452b-80e1-5182b068d1c6?source=cve
