CVE-2024-9618
📋 TL;DR
This stored XSS vulnerability in the Master Addons WordPress plugin allows authenticated attackers with contributor-level access or higher to inject malicious scripts into website pages. The scripts execute whenever users visit compromised pages, potentially stealing credentials or performing unauthorized actions. All WordPress sites using Master Addons plugin versions up to 2.0.7.2 are affected.
💻 Affected Systems
- Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
📦 What is this software?
Master Addons by Master Addons
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or perform actions as authenticated users, potentially leading to complete site compromise.
Likely Case
Attackers with contributor access inject malicious scripts that steal user session cookies or credentials when visitors view compromised pages.
If Mitigated
With proper user access controls and content security policies, impact is limited to potential defacement of specific pages without credential theft.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once attacker has contributor-level credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.7.3 or later
Vendor Advisory: https://master-addons.com/changelogs/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Master Addons plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download latest version from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Restrict User Roles
allLimit contributor-level access to trusted users only and implement principle of least privilege.
Implement Content Security Policy
allAdd CSP headers to restrict script execution sources and mitigate XSS impact.
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or add to wp-config.php: header("Content-Security-Policy: default-src 'self'; script-src 'self'");
🧯 If You Can't Patch
- Disable Master Addons plugin completely until patched
- Remove contributor access for all untrusted users and audit existing contributor accounts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Master Addons version. If version is 2.0.7.2 or lower, system is vulnerable.Check Version:
wp plugin list --name=master-addons --field=version (if WP-CLI installed)Verify Fix Applied:
After update, verify Master Addons plugin version shows 2.0.7.3 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WordPress admin-ajax.php or admin-post.php with Master Addons parameters
- Multiple page edits by contributor-level users in short time
- Script tags containing unusual attributes in page content
Network Indicators:
- Outbound connections to suspicious domains from WordPress pages
- Unexpected script loads from non-standard sources
SIEM Query:
source="wordpress.log" AND ("master-addons" OR "jltma_") AND (POST OR PUT) AND status=200🔗 References
- https://master-addons.com/changelogs/
- https://plugins.trac.wordpress.org/browser/master-addons/trunk/assets/js/master-addons-scripts.js#L1030
- https://plugins.trac.wordpress.org/browser/master-addons/trunk/assets/js/master-addons-scripts.js#L1993
- https://plugins.trac.wordpress.org/browser/master-addons/trunk/assets/js/master-addons-scripts.js#L510
- https://plugins.trac.wordpress.org/browser/master-addons/trunk/assets/js/master-addons-scripts.js#L535
- https://plugins.trac.wordpress.org/changeset/3243199/
- https://plugins.trac.wordpress.org/changeset/3249130/
- https://wordpress.org/plugins/master-addons/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b8d399f3-5517-4c5d-b792-94eb8b0cc0f4?source=cve
