CVE-2024-5763
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into website pages via the Video widget in The Plus Addons for Elementor plugin. When visitors view compromised pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, redirect users to malicious sites, deface websites, or perform actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Attackers with contributor accounts inject malicious scripts that steal visitor session cookies or credentials, leading to account takeover and further site manipulation.
If Mitigated
With proper user access controls and content security policies, impact is limited to defacement or limited data exposure from affected pages only.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once an attacker has contributor-level credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.6.3 and later
Vendor Advisory: https://wordpress.org/plugins/the-plus-addons-for-elementor-page-builder/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'The Plus Addons for Elementor'. 4. Click 'Update Now' if available, or manually update to version 5.6.3+. 5. Clear any caching plugins or CDN caches.
🔧 Temporary Workarounds
Restrict User Roles
allTemporarily limit contributor-level access or review existing contributor accounts for suspicious activity.
Content Security Policy
linuxImplement CSP headers to restrict script execution sources and mitigate XSS impact.
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
For Nginx: add_header Content-Security-Policy "default-src 'self'; script-src 'self';";
🧯 If You Can't Patch
- Disable the Video widget feature in plugin settings if possible.
- Remove contributor-level access for untrusted users and audit existing contributor accounts.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'The Plus Addons for Elementor' version. If version is 5.6.2 or lower, you are vulnerable.Check Version:
wp plugin list --name='the-plus-addons-for-elementor-page-builder' --field=version (WP-CLI)Verify Fix Applied:
After updating, verify plugin version shows 5.6.3 or higher in WordPress admin plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin/admin-ajax.php with video_date parameters
- Multiple page edits by contributor-level users in short timeframes
Network Indicators:
- Script tags with unusual sources in page responses
- External JavaScript loading from unexpected domains
SIEM Query:
source="wordpress.log" AND ("video_date" OR "tp_video_player") AND status=200🔗 References
- https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/5.5.6/modules/widgets/tp_video_player.php?rev=3094329#L1351
- https://plugins.trac.wordpress.org/changeset/3136509/
- https://wordpress.org/plugins/the-plus-addons-for-elementor-page-builder/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4eaf4c05-9393-4e44-abd1-8f529b7848b5?source=cve
