CVE-2024-9993
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into website pages via the Event Calendar widget. The scripts execute whenever users visit the compromised pages, enabling session hijacking, defacement, or malware distribution. All WordPress sites using Essential Addons for Elementor plugin versions up to 6.1.12 are affected.
💻 Affected Systems
- Essential Addons for Elementor WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, install backdoors, redirect users to malicious sites, or completely compromise the WordPress site and potentially the underlying server.
Likely Case
Attackers with contributor access inject malicious JavaScript to steal user session cookies, redirect visitors to phishing pages, or deface the website.
If Mitigated
With proper user role management and input validation, the attack surface is reduced, but the vulnerability still exists in the codebase.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has contributor privileges. The vulnerability is publicly documented with technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.2.0 and above
Vendor Advisory: https://wordpress.org/plugins/essential-addons-for-elementor-lite/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Essential Addons for Elementor'. 4. Click 'Update Now' if available. 5. Alternatively, download version 6.2.0+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Event Calendar Widget
allTemporarily disable the vulnerable widget to prevent exploitation while planning update.
Restrict User Roles
allTighten user role permissions to limit who can create/edit posts with contributor access.
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block XSS payloads targeting the eael_event_details_text parameter.
- Apply strict Content Security Policy (CSP) headers to mitigate script execution from unauthorized sources.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Essential Addons for Elementor → Version number. If version is 6.1.12 or lower, you are vulnerable.Check Version:
wp plugin list --name='essential-addons-for-elementor' --field=versionVerify Fix Applied:
After updating, confirm plugin version is 6.2.0 or higher in WordPress plugins page.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin containing eael_event_details_text parameter with script tags
- Multiple failed login attempts followed by successful contributor-level login
Network Indicators:
- Outbound connections to suspicious domains from your WordPress site
- Unexpected JavaScript payloads in HTTP responses
SIEM Query:
source="wordpress.log" AND ("eael_event_details_text" AND ("script" OR "javascript" OR "onerror"))