CVE-2024-8961
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to inject malicious JavaScript into website pages through the Essential Addons for Elementor plugin. The injected scripts execute whenever users visit the compromised pages, enabling attackers to steal session cookies, redirect users, or perform other malicious actions. All WordPress sites using Essential Addons for Elementor up to version 6.0.7 are affected.
💻 Affected Systems
- Essential Addons for Elementor WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over the WordPress site, install backdoors, deface the website, or redirect users to malicious sites for credential harvesting.
Likely Case
Attackers inject malicious scripts to steal user session cookies, redirect visitors to phishing pages, or display unwanted advertisements.
If Mitigated
With proper input validation and output escaping, the vulnerability is eliminated and no script injection is possible.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once an attacker has Contributor-level credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.0.8
Vendor Advisory: https://wordpress.org/plugins/essential-addons-for-elementor-lite/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Essential Addons for Elementor'. 4. Click 'Update Now' if available. 5. Alternatively, download version 6.0.8+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Temporary Input Sanitization
allAdd custom sanitization to the 'nomore_items_text' parameter in theme functions
Add to theme's functions.php: add_filter('eael_filterable_gallery_nomore_items_text', 'esc_html');
Restrict User Roles
allTemporarily remove Contributor role access or limit plugin permissions
Use WordPress role management plugin to restrict 'edit_posts' capability for Contributors
🧯 If You Can't Patch
- Disable the Essential Addons for Elementor plugin completely
- Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Essential Addons for Elementor → Version. If version is 6.0.7 or lower, you are vulnerable.Check Version:
wp plugin list --name='essential-addons-for-elementor' --field=versionVerify Fix Applied:
After updating, verify version shows 6.0.8 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with 'nomore_items_text' parameter containing script tags
- Multiple failed login attempts followed by successful Contributor-level login
Network Indicators:
- Unexpected outbound connections from WordPress site to unknown domains after page visits
- Suspicious JavaScript payloads in HTTP responses
SIEM Query:
source="wordpress.log" AND "nomore_items_text" AND ("<script>" OR "javascript:")