Element Pack Lite, a popular add-on for the Elementor page builder in WordPress, provides users with advanced widgets and design tools. However, a critical vulnerability, CVE-2024-10493, has been identified in the plugin. This flaw allows attackers with contributor-level access to inject malicious JavaScript code into the “Content Caption” field of a new post, which can result in an admin account being created. With over 100,000 installations, this vulnerability poses a significant risk to WordPress sites that use Element Pack Lite to extend their Elementor functionality.
| CVE | CVE-2024-10493 |
| Plugin | Element Pack Elementor Addons < 5.10.3 |
| Critical | High |
| All Time | 3 451 124 |
| Active installations | 100 000+ |
| Publicly Published | November 14, 2024 |
| Last Updated | November 14, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10493 https://wpscan.com/vulnerability/2e7f7196-054b-4cfd-9219-c60bb8275e8d/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| October 29, 2024 | Plugin testing and vulnerability detection in the Element Pack Elementor Addons have been completed |
| October 29, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 14, 2024 | Registered CVE-2024-10493 |
Discovery of the Vulnerability
The vulnerability was discovered during a routine security audit of the Element Pack Lite plugin. It was found that the plugin fails to properly sanitize the “Content Caption” field in its “Lightbox” block widget. This oversight allows an attacker to inject malicious JavaScript code into the field, which is stored in the WordPress database and executed when the image is clicked in the frontend. The vulnerability can be triggered by contributors, who typically have minimal privileges, making it particularly dangerous as it can be exploited without requiring admin access.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities are one of the most common and dangerous types of security flaws found in web applications, including WordPress. XSS occurs when an attacker is able to inject malicious scripts into content that is then viewed by other users. These scripts can steal sensitive data, hijack user sessions, or perform unauthorized actions on behalf of the user. Real-world examples of XSS vulnerabilities in WordPress include the attack vector found in the WPForms plugin, where improper sanitization allowed attackers to inject malicious JavaScript into form fields. Similarly, CVE-2024-10493 exploits improper sanitization in the Element Pack Lite plugin’s “Content Caption” field, allowing attackers to inject harmful scripts into the site.
Exploiting the XSS Vulnerability
To exploit CVE-2024-10493, an attacker with contributor-level access can create a new post and insert a “Lightbox” block into the post content.
POC:
Create a new POST. Add here "Lightbox" block and change "Content Caption" field to <img src=x onerror=alert(1)>123 -> Set any image you want -> Publish -> Go to new post and try to open image by clicking____
The potential risks of CVE-2024-10493 are severe. If exploited, this vulnerability could lead to account takeover and unauthorized access to the site. Attackers could hijack user sessions, steal sensitive information, or, in the worst case, create an admin account to gain full control over the WordPress site. For example, an attacker could use the backdoor admin account to alter site content, install malicious plugins, or steal customer data from e-commerce sites. In a real-world scenario, a website could be fully compromised, leading to data loss, reputational damage, and possible financial consequences. Furthermore, the vulnerability could serve as an entry point for further attacks on other connected systems or networks.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-10493, WordPress administrators should immediately update Element Pack Lite to the latest version as soon as a patch is available. Additionally, site administrators should review user roles and ensure that contributors do not have access to potentially dangerous settings, such as those in the “Content Caption” field. Sanitizing all user inputs, particularly those in content fields like captions, can prevent malicious scripts from being executed. It is also recommended to restrict the unfiltered_html capability for non-admin users and employ security plugins that scan for vulnerabilities in WordPress plugins and themes. Implementing Content Security Policies (CSP) can also limit the potential damage caused by any successful XSS attacks by blocking untrusted scripts. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-10493, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
