CVE-2024-9868
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to inject malicious scripts into web pages via the Age Gate Widget's 'url' parameter. The scripts are stored and execute whenever users visit the compromised pages, enabling session hijacking, defacement, or malware distribution. All WordPress sites using Element Pack Elementor Addons up to version 5.10.1 are affected.
💻 Affected Systems
- Element Pack Elementor Addons for WordPress
📦 What is this software?
Element Pack by Bdthemes
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, redirect users to malicious sites, install backdoors, or completely compromise the WordPress site and potentially the underlying server.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session cookies, display fraudulent content, or redirect users to phishing pages.
If Mitigated
With proper input validation and output escaping, the vulnerability is eliminated, preventing script injection entirely.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has Contributor-level credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.10.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3176764/bdthemes-element-pack-lite/trunk/modules/age-gate/widgets/age-gate.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Element Pack Elementor Addons'. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 5.10.2+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable Age Gate Widget
allTemporarily disable the vulnerable Age Gate widget to prevent exploitation while awaiting patch.
Navigate to WordPress admin > Elementor > Settings > Advanced > Disable Age Gate Widget
Restrict User Roles
allTemporarily remove Contributor role permissions or limit user creation until patched.
Use WordPress role management plugins to restrict Contributor capabilities
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block XSS payloads targeting the Age Gate widget
- Regularly audit user accounts and monitor for suspicious Contributor-level activity
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for Element Pack version. If version is 5.10.1 or lower, you are vulnerable.Check Version:
wp plugin list --name="Element Pack" --field=versionVerify Fix Applied:
After updating, verify Element Pack version is 5.10.2 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to age-gate endpoints
- Multiple failed login attempts followed by successful Contributor login
- Suspicious JavaScript in page content
Network Indicators:
- HTTP requests containing script tags in URL parameters
- Unexpected redirects from legitimate pages
SIEM Query:
source="wordpress.log" AND ("age-gate" OR "element-pack") AND ("script" OR "javascript" OR "onload" OR "onerror")