Element Pack, a popular addon for the Elementor page builder, adds various widgets and elements to enhance the functionality of WordPress sites. However, a critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-10980, has been discovered in the plugin. This flaw allows attackers with contributor privileges to inject malicious JavaScript into a post’s “Message” field within the “Cookie Consent” block, which is then executed when the content is viewed. This vulnerability can lead to admin account creation and full control of the affected WordPress site, posing a serious security risk to the over 100,000 active installations of Element Pack.
| CVE | CVE-2024-10980 |
| Plugin | Element Pack Elementor Addons < 5.10.3 |
| Critical | High |
| All Time | 3 211 144 |
| Active installations | 100 000+ |
| Publicly Published | November 14, 2024 |
| Last Updated | November 14, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10980 https://wpscan.com/vulnerability/915daad8-d14c-4457-a3a0-aa21744f4ae0/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| October 30, 2024 | Plugin testing and vulnerability detection in the Element Pack Elementor Addons have been completed |
| October 30, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 14, 2024 | Registered CVE-2024-10980 |
Discovery of the Vulnerability
The vulnerability was discovered during a security audit of the Element Pack Elementor Addons plugin. It was found that the plugin fails to properly sanitize user input, specifically in the “Message” field of the “Cookie Consent” block. By injecting JavaScript code into this field, an attacker with contributor-level access can store the malicious script in the WordPress database. When the post is published and the user clicks on the image embedded in the post, the malicious JavaScript executes, potentially leading to privilege escalation and backdoor admin access. This flaw is critical because contributors typically have limited access, and the ability to exploit such a vulnerability with minimal privileges makes the attack easier to carry out.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is one of the most common vulnerabilities in web applications, particularly in content management systems like WordPress. XSS occurs when an attacker injects malicious scripts into web pages viewed by other users, typically through unsanitized input fields. This can lead to a variety of attacks, including session hijacking, unauthorized actions, and privilege escalation. In WordPress, XSS vulnerabilities often arise in plugins and themes that allow users to enter dynamic content, such as forms, comments, or widget settings. A well-known example of XSS in WordPress is the vulnerability found in the WPForms plugin, where attackers could inject JavaScript into form fields, allowing them to hijack user sessions. Similarly, CVE-2024-10980 exploits improper input sanitization in the Element Pack plugin, enabling contributors to inject harmful scripts into the “Cookie Consent” block.
Exploiting the XSS Vulnerability
To exploit CVE-2024-10980, an attacker with contributor-level privileges:
POC:
Create a new POST. Add here "Cookie Consent" block and change "Message" field to <img src=x onerror=alert(1123)>123 -> Publish -> Go to new post and try to open image by clicking____
The risks associated with CVE-2024-10980 are substantial. If exploited, an attacker could hijack user sessions or escalate their privileges to gain administrative control of the site. For example, an attacker could steal sensitive data, change site settings, or install malicious software on the WordPress installation. In a real-world scenario, the attacker could use the backdoor admin access to perform a variety of malicious actions, such as altering site content, stealing customer data from e-commerce sites, or spreading malware to site visitors. This vulnerability is particularly dangerous for sites handling sensitive data or those with high traffic, as it can lead to severe data breaches and reputational damage. Moreover, the vulnerability could be exploited as a stepping stone for further attacks, compromising other sites or systems connected to the compromised WordPress site.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-10980, it is crucial for WordPress administrators to update the Element Pack plugin to the latest version as soon as a patch is available. Additionally, site administrators should review user roles and restrict contributor-level users from accessing sensitive fields, such as the “Message” field in the “Cookie Consent” block. Sanitizing all user inputs, particularly in dynamic content fields, is essential to prevent malicious scripts from being injected and executed. It is also recommended to limit the unfiltered_html capability for non-admin users to prevent them from injecting JavaScript into posts and plugin settings. Security plugins that scan for XSS vulnerabilities should be used to detect and block such attacks. Implementing Content Security Policies (CSP) can also help mitigate the impact of successful XSS attacks by blocking untrusted scripts from executing. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10980, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
