CVE-2024-5542
📋 TL;DR
This vulnerability allows unauthenticated attackers to inject malicious scripts into WordPress pages using the Master Addons plugin's Navigation Menu widget. The scripts execute whenever users visit compromised pages, enabling session hijacking, credential theft, or malware distribution. All WordPress sites using Master Addons plugin versions up to 2.0.6.1 are affected.
💻 Affected Systems
- Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor WordPress plugin
📦 What is this software?
Master Addons by Master Addons
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over websites, distribute malware to visitors, or redirect users to malicious sites, leading to complete site compromise and data breaches.
Likely Case
Attackers inject malicious scripts to steal user session cookies, redirect users to phishing pages, or display unwanted advertisements, compromising user trust and site integrity.
If Mitigated
With proper input validation and output escaping, the vulnerability is prevented, maintaining normal plugin functionality without security risks.
🎯 Exploit Status
XSS vulnerabilities are commonly exploited; no authentication required makes this particularly dangerous.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.6.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3096299/master-addons
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins > Installed Plugins. 3. Find 'Master Addons for Elementor'. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable Navigation Menu Widget
allTemporarily disable the vulnerable Navigation Menu widget in the Mega Menu extension to prevent exploitation.
Apply Web Application Firewall (WAF) Rules
allConfigure WAF to block XSS payloads targeting the plugin's endpoints.
🧯 If You Can't Patch
- Disable the Master Addons plugin entirely until patched.
- Implement strict Content Security Policy (CSP) headers to mitigate script execution.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for Master Addons version. If version is 2.0.6.1 or lower, you are vulnerable.Check Version:
wp plugin list --name='master-addons' --field=version (if WP-CLI installed)Verify Fix Applied:
After update, confirm version is 2.0.6.2 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with plugin-related parameters
- JavaScript payloads in request logs containing 'master-addons' or 'mega-menu'
Network Indicators:
- Inbound requests with script tags or JavaScript in URL parameters targeting plugin endpoints
SIEM Query:
source="web_logs" AND (uri_path="/wp-admin/admin-ajax.php" AND query="action=master_addons_*" AND (query CONTAINS "<script>" OR query CONTAINS "javascript:"))🔗 References
- https://plugins.trac.wordpress.org/changeset/3096299/master-addons
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5151f429-b1f3-43d4-94cf-3ff382b80190?source=cve
- https://plugins.trac.wordpress.org/changeset/3096299/master-addons
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5151f429-b1f3-43d4-94cf-3ff382b80190?source=cve
