Element Pack Lite, a popular add-on for the Elementor page builder in WordPress, provides users with advanced widgets and design tools. However, a critical vulnerability, CVE-2024-10493, has been identified in the plugin. This flaw allows attackers with contributor-level access to inject malicious JavaScript code into the “Content Caption” field of a new post, which can result in an admin account being created. With over 100,000 installations, this vulnerability poses a significant risk to WordPress sites that use Element Pack Lite to extend their Elementor functionality.

CVECVE-2024-10493
PluginElement Pack Elementor Addons < 5.10.3
CriticalHigh
All Time3 451 124
Active installations100 000+
Publicly PublishedNovember 14, 2024
Last UpdatedNovember 14, 2024
ResearcherDmitrii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10493
https://wpscan.com/vulnerability/2e7f7196-054b-4cfd-9219-c60bb8275e8d/
Plugin Security Certification by CleanTalk
Logo of the plugin

Timeline

October 29, 2024Plugin testing and vulnerability detection in the Element Pack Elementor Addons have been completed
October 29, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
November 14, 2024Registered CVE-2024-10493

Discovery of the Vulnerability

The vulnerability was discovered during a routine security audit of the Element Pack Lite plugin. It was found that the plugin fails to properly sanitize the “Content Caption” field in its “Lightbox” block widget. This oversight allows an attacker to inject malicious JavaScript code into the field, which is stored in the WordPress database and executed when the image is clicked in the frontend. The vulnerability can be triggered by contributors, who typically have minimal privileges, making it particularly dangerous as it can be exploited without requiring admin access.

Understanding of XSS attack’s

Cross-Site Scripting (XSS) vulnerabilities are one of the most common and dangerous types of security flaws found in web applications, including WordPress. XSS occurs when an attacker is able to inject malicious scripts into content that is then viewed by other users. These scripts can steal sensitive data, hijack user sessions, or perform unauthorized actions on behalf of the user. Real-world examples of XSS vulnerabilities in WordPress include the attack vector found in the WPForms plugin, where improper sanitization allowed attackers to inject malicious JavaScript into form fields. Similarly, CVE-2024-10493 exploits improper sanitization in the Element Pack Lite plugin’s “Content Caption” field, allowing attackers to inject harmful scripts into the site.

Exploiting the XSS Vulnerability

To exploit CVE-2024-10493, an attacker with contributor-level access can create a new post and insert a “Lightbox” block into the post content.

POC:

Create a new POST. Add here "Lightbox" block and change "Content Caption" field to &lt;img src=x onerror=alert(1)&gt;123 -> Set any image you want -> Publish -> Go to new post and try to open image by clicking

____

The potential risks of CVE-2024-10493 are severe. If exploited, this vulnerability could lead to account takeover and unauthorized access to the site. Attackers could hijack user sessions, steal sensitive information, or, in the worst case, create an admin account to gain full control over the WordPress site. For example, an attacker could use the backdoor admin account to alter site content, install malicious plugins, or steal customer data from e-commerce sites. In a real-world scenario, a website could be fully compromised, leading to data loss, reputational damage, and possible financial consequences. Furthermore, the vulnerability could serve as an entry point for further attacks on other connected systems or networks.

Recommendations for Improved Security

To mitigate the risks associated with CVE-2024-10493, WordPress administrators should immediately update Element Pack Lite to the latest version as soon as a patch is available. Additionally, site administrators should review user roles and ensure that contributors do not have access to potentially dangerous settings, such as those in the “Content Caption” field. Sanitizing all user inputs, particularly those in content fields like captions, can prevent malicious scripts from being executed. It is also recommended to restrict the unfiltered_html capability for non-admin users and employ security plugins that scan for vulnerabilities in WordPress plugins and themes. Implementing Content Security Policies (CSP) can also limit the potential damage caused by any successful XSS attacks by blocking untrusted scripts. To prevent this type of attacks vendor used our methods of prevention.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10493, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii I.
CVE-2024-10493 – Element Pack Lite – Addons for Elementor – Stored XSS to Admin Account Creation – POC

Leave a Reply

Your email address will not be published. Required fields are marked *