CVE-2024-8681
📋 TL;DR
The Premium Addons for Elementor WordPress plugin has a stored XSS vulnerability in its Media Grid widget. Authenticated attackers with contributor-level access or higher can inject malicious scripts that execute when users view affected pages. This affects all versions up to 4.10.52.
💻 Affected Systems
- Premium Addons for Elementor WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers with contributor accounts inject malicious scripts to steal user session cookies or display unwanted content.
If Mitigated
With proper user role management and input validation, impact is limited to low-privilege account compromise.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once attacker has contributor-level credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.10.53 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3158331/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'Premium Addons for Elementor'. 4. Click 'Update Now' if available. 5. If not, download latest version from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Media Grid Widget
allTemporarily disable the vulnerable Media Grid widget until patching
Navigate to Elementor → Settings → Advanced → Disable Media Grid widget
Restrict User Roles
allLimit contributor-level access to trusted users only
Review WordPress Users → All Users and remove unnecessary contributor accounts
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit script execution
- Use web application firewall (WAF) rules to block XSS payloads in Media Grid parameters
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin → Plugins → Installed Plugins. If version is 4.10.52 or lower, you are vulnerable.Check Version:
wp plugin list --name='premium-addons-for-elementor' --field=versionVerify Fix Applied:
After updating, verify version is 4.10.53 or higher. Test Media Grid widget functionality to ensure it works without errors.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to Media Grid widget endpoints
- Multiple failed login attempts followed by successful contributor login
Network Indicators:
- Script tags in Media Grid parameter values
- Unexpected outbound connections after page loads
SIEM Query:
source="wordpress.log" AND ("premium-grid" OR "media-grid") AND ("script" OR "onerror" OR "javascript:")🔗 References
- https://plugins.trac.wordpress.org/browser/premium-addons-for-elementor/trunk/includes/compatibility/widgets/grid.php#L72
- https://plugins.trac.wordpress.org/browser/premium-addons-for-elementor/trunk/widgets/premium-grid.php#L3033
- https://plugins.trac.wordpress.org/browser/premium-addons-for-elementor/trunk/widgets/premium-grid.php#L3149
- https://plugins.trac.wordpress.org/changeset/3158331/
- https://plugins.trac.wordpress.org/changeset/3158331/premium-addons-for-elementor/trunk/assets/frontend/js/premium-addons.js
- https://wordpress.org/plugins/premium-addons-for-elementor/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/de207181-0163-4222-ac16-d7b74179ff9b?source=cve
