CVE-2024-7611
📋 TL;DR
This stored XSS vulnerability in the Enter Addons plugin allows authenticated attackers with contributor-level access or higher to inject malicious scripts into WordPress pages. When users visit compromised pages, the scripts execute in their browsers, potentially stealing session cookies or performing unauthorized actions. Only WordPress sites using vulnerable versions of the Enter Addons plugin are affected.
💻 Affected Systems
- Enter Addons – Ultimate Template Builder for Elementor WordPress plugin
📦 What is this software?
Enter Addons by Themelooks
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over WordPress sites, deface pages, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers with contributor accounts inject malicious scripts that steal user session cookies or perform actions on behalf of logged-in users, potentially escalating privileges.
If Mitigated
With proper access controls limiting contributor accounts and regular security monitoring, impact is limited to isolated script execution without privilege escalation.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has contributor privileges. Public proof-of-concept details are available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.9 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/enteraddons/trunk/widgets/events_card/traits/Templates_Components.php#L25
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Enter Addons – Ultimate Template Builder for Elementor'. 4. Click 'Update Now' if available, or manually update to version 2.1.9+. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Remove vulnerable widget
allDisable or remove the Events Card widget from all pages if immediate patching isn't possible.
Navigate to each page using Elementor editor, find Events Card widgets, and delete them.
Restrict user roles
allTemporarily limit contributor-level access or implement additional approval workflows for content changes.
Use WordPress user role plugins to restrict contributor capabilities or require editor approval for all content.
🧯 If You Can't Patch
- Disable the Enter Addons plugin entirely until patching is possible.
- Implement strict Content Security Policy (CSP) headers to mitigate XSS impact.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for Enter Addons plugin version. If version is 2.1.8 or lower, the site is vulnerable.Check Version:
wp plugin list --name='enteraddons' --field=version (if WP-CLI installed)Verify Fix Applied:
After updating, confirm plugin version shows 2.1.9 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual content modifications by contributor users
- POST requests to wp-admin/post.php with suspicious script tags in parameters
Network Indicators:
- Outbound connections to unknown domains from WordPress pages
- Unexpected script loads in page responses
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/post.php" AND method="POST" AND (param="tag" OR body CONTAINS "<script>"))