CVE-2024-9888
📋 TL;DR
This stored XSS vulnerability in ElementInvader Addons for Elementor allows authenticated attackers with contributor-level WordPress access to inject malicious scripts via contact form redirect URLs. The scripts execute when users visit compromised pages, potentially stealing credentials or performing unauthorized actions. All WordPress sites using this plugin up to version 1.2.8 are affected.
💻 Affected Systems
- ElementInvader Addons for Elementor WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session cookies or redirect visitors to phishing pages.
If Mitigated
With proper user role management and input validation, impact is limited to isolated script execution without privilege escalation.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.9 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3168782/elementinvader-addons-for-elementor/trunk/modules/forms/ajax-handler.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'ElementInvader Addons for Elementor'. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 1.2.9+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Remove Contributor Access
allTemporarily remove contributor-level access from untrusted users until patch is applied.
Disable Contact Form Widget
allDisable the vulnerable contact form widget in ElementInvader settings.
🧯 If You Can't Patch
- Remove the ElementInvader Addons for Elementor plugin entirely
- Implement strict user role management and audit all contributor accounts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > ElementInvader Addons for Elementor. If version is 1.2.8 or lower, you are vulnerable.Check Version:
wp plugin list --name='elementinvader-addons-for-elementor' --field=versionVerify Fix Applied:
After updating, verify plugin version shows 1.2.9 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with redirect_url parameters containing script tags
- Multiple failed login attempts followed by contributor-level access
Network Indicators:
- Unexpected JavaScript execution on contact form pages
- External redirects from contact forms
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "redirect_url" AND ("<script>" OR "javascript:")