CVE-2024-6170
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to inject malicious JavaScript into website pages via the 'email' parameter in the Unlimited Elements For Elementor plugin. The injected scripts execute whenever users visit the compromised pages, enabling persistent cross-site scripting attacks. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Unlimited Elements For Elementor (Free Widgets, Addons, Templates) WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could create new administrator accounts, steal session cookies, redirect users to malicious sites, or deface the entire website by injecting malicious scripts that execute for all visitors.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session cookies, perform actions on behalf of users, or redirect visitors to phishing sites.
If Mitigated
With proper input validation and output escaping, the vulnerability would be prevented, and only sanitized data would be displayed to users.
🎯 Exploit Status
Exploitation requires authenticated access (Contributor or higher). Weaponized payloads exist that can create admin users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.5.112
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3112307/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Unlimited Elements For Elementor'. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the Unlimited Elements For Elementor plugin until patched
wp plugin deactivate unlimited-elements-for-elementor
Restrict user roles
allTemporarily remove Contributor and Author roles or restrict their capabilities
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block XSS payloads in email parameters
- Apply Content Security Policy (CSP) headers to restrict script execution sources
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin → Plugins → Installed Plugins. If version is 1.5.112 or lower, you are vulnerable.Check Version:
wp plugin get unlimited-elements-for-elementor --field=versionVerify Fix Applied:
Verify plugin version is higher than 1.5.112. Test email parameter input with basic XSS payloads to confirm sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to plugin endpoints with email parameter containing script tags
- Multiple failed login attempts followed by successful contributor login
Network Indicators:
- HTTP requests containing script tags in email parameter values
- Unexpected outbound connections from WordPress site after page visits
SIEM Query:
source="wordpress.log" AND ("unlimited-elements" OR "email parameter") AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")🔗 References
- https://github.com/hakluke/weaponised-XSS-payloads/blob/master/wordpress_create_admin_user.js
- https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_settings_output.class.php#L398
- https://plugins.trac.wordpress.org/changeset/3112307/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/db14b141-521b-464d-a638-2228b1a86c2b?source=cve
- https://github.com/hakluke/weaponised-XSS-payloads/blob/master/wordpress_create_admin_user.js
- https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_settings_output.class.php#L398
- https://plugins.trac.wordpress.org/changeset/3112307/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/db14b141-521b-464d-a638-2228b1a86c2b?source=cve
