CVE-2024-8979
📋 TL;DR
The Essential Addons for Elementor WordPress plugin exposes sensitive user information through password reset email notifications. Authenticated attackers with Author-level access or higher can extract usernames and passwords of any user, including administrators, when victims open password change emails with images enabled. This affects all WordPress sites using vulnerable versions of the plugin.
💻 Affected Systems
- Essential Addons for Elementor WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise through administrator credential theft, leading to data breach, malware installation, or site defacement.
Likely Case
Privilege escalation and unauthorized access to user accounts, potentially leading to data theft or content manipulation.
If Mitigated
Limited impact if email clients block images by default or if Author-level user accounts are strictly controlled.
🎯 Exploit Status
Exploitation requires Author-level WordPress access and victim interaction with email, but the technique is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.1.0 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3188634/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Essential Addons for Elementor'. 4. Click 'Update Now' if available, or download version 6.1.0+ from WordPress repository. 5. Activate updated plugin.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate Essential Addons for Elementor until patched
wp plugin deactivate essential-addons-for-elementor-lite
Restrict Author-level access
allReview and minimize users with Author or higher privileges
wp user list --role=author --field=user_login
🧯 If You Can't Patch
- Implement email security controls to block images by default in password reset emails
- Enable two-factor authentication for all administrative accounts
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins, or run: wp plugin get essential-addons-for-elementor-lite --field=versionCheck Version:
wp plugin get essential-addons-for-elementor-lite --field=versionVerify Fix Applied:
Confirm plugin version is 6.1.0 or higher, and check that the 'init_content_lostpassword_user_email_controls' function no longer exposes sensitive data📡 Detection & Monitoring
Log Indicators:
- Unusual Author-level user activity
- Multiple password reset requests
- Admin account logins from unusual locations
Network Indicators:
- HTTP requests to password reset endpoints from Author-level accounts
- Email tracking pixel requests from unexpected sources
SIEM Query:
source="wordpress" AND (event="password_reset" OR event="user_login") AND user_role="author"