Essential Addons for Elementor Plugin Vulnerability Leads To Over Million Sites Hacked

Elementor, a popular WordPress page builder plugin, has recently been at the center of a concerning security issue involving multiple third-party addons. A total of 11 Elementor addons were discovered to have vulnerabilities, potentially putting millions of websites at risk. In this article, we will delve into the details of these vulnerabilities, explain the potential impacts on WordPress users, and provide guidance on what actions site owners should take to protect their websites.

The points we will discuss in this article:

  • A severe security flaw has been discovered in a popular WordPress plugin called Essential Addons for Elementor.
  • The flaw is an unauthenticated privilege escalation vulnerability that allows any unauthenticated user to escalate their privilege to that of any user on the WordPress site.
  • The vulnerability could be weaponized to reset the password associated with an administrator account and seize full control of the website.
  • The flaw has been addressed by the plugin maintainers in version 5.7.2 that was shipped on May 11, 2024.
  • The flaw is being actively exploited in the wild, and users are advised to update to the latest version as soon as possible.
  • The Essential Addons for Elementor plugin has over one million active installations.
  • Other malware campaigns that are using compression techniques to conceal the malware and avoid detection are also mentioned.

Essential Addons for Elementor WordPress Plugin

The widely-used Essential Addons for Elementor plugin (free version, versio

Security Vulnerabilities in Elementor Addons

The vulnerabilities were identified by the cybersecurity team at Wordfence, and a detailed breakdown has also been reported by Search Engine Journal. The vulnerabilities affect various plugins that extend Elementor’s functionality, making them susceptible to cross-site scripting (XSS), SQL injection, and other attacks. These issues can allow malicious actors to inject code, compromise website integrity, or even gain administrative access to affected sites.

One notable vulnerability, CVE-2024-47366, was identified in the Elementor Addon Elements plugin by WPVibes. This particular vulnerability involves Stored Cross-site Scripting (XSS), a type of attack that allows malicious scripts to be persistently stored on the server, exposing visitors to potential threats each time the page is loaded. This vulnerability affects versions up to 1.13.6 of the plugin and is categorized under CWE-79, highlighting improper neutralization of input during web page generation. With a CVSS score of 6.5, it is considered a medium severity risk, with low attack complexity, requiring minimal privileges and some user interaction.

List of Affected Plugins and Their Risks

The affected plugins include popular names such as Addon Elements for Elementor Page Builder and several others. Each of these addons serves to provide additional features for Elementor users, from new design widgets to enhanced layout customization. However, these useful tools have inadvertently introduced weaknesses that attackers can exploit.

  • Addon Elements for Elementor Page Builder: This plugin contained vulnerabilities, including CVE-2024-47366, that could allow attackers to execute arbitrary code or inject malicious scripts, making websites using it highly vulnerable to Stored XSS attacks.
  • Other Affected Plugins: The vulnerabilities in these plugins were varied, ranging from cross-site scripting (XSS) to privilege escalation vulnerabilities, which could potentially allow attackers to gain higher levels of access to a website’s admin panel.

Potential Consequences of the Vulnerabilities

The consequences of these vulnerabilities could be severe for WordPress website owners. Sites using affected plugins could experience:

  • Malware Injection: Vulnerabilities can enable attackers to inject malicious scripts, redirecting site visitors or compromising their data.
  • Full Site Compromise: In cases where SQL injections or privilege escalation attacks are possible, an attacker could take complete control of the website, potentially leading to a complete data breach or site defacement.
  • Persistent Security Risks: Specifically with Stored XSS (CVE-2024-47366), malicious scripts can be stored on the server and executed whenever the page is loaded, leading to risks such as data theft, session hijacking, or even identity theft of unsuspecting users. This could significantly affect the integrity, confidentiality, and availability of the web application.

How to Mitigate the Risks

For website owners using Elementor addons, it is crucial to take immediate action to mitigate these risks. The Wordfence team recommends the following steps:

  1. Update Plugins: Ensure that all Elementor addons are updated to their latest versions, as developers have already released patches for these vulnerabilities. For CVE-2024-47366, users should update the Elementor Addon Elements plugin to version 1.13.7 or later to rectify improper input neutralization and prevent XSS attacks.

    Commands to Update:

    1. Log in to your WordPress admin dashboard.
    2. Navigate to ‘Plugins’ and click on ‘Installed Plugins.’
    3. Find ‘Elementor Addon Elements’ in the list.
    4. Click on ‘Update Now’ if an update is available.
  2. Run a Security Scan: Use a security plugin, such as Wordfence, to run a full website scan and identify any signs of compromise.
  3. Deactivate and Replace Vulnerable Plugins: If the developer of a vulnerable plugin has not yet released an update, consider deactivating or replacing the plugin with a more secure alternative.
  4. Web Application Firewall (WAF): Deploying a WAF can help detect and block malicious traffic, including XSS attempts, before they reach your application.
  5. Security Audits: Conduct routine security audits to identify and remediate potential vulnerabilities across your WordPress site.

The Role of Developers and Users in Maintaining Security

These vulnerabilities highlight the importance of proactive security measures for both developers and end users. Developers must follow best practices for secure coding, conduct regular security audits, and issue timely patches. Meanwhile, website owners should prioritize regular updates and adopt comprehensive security practices to ensure the safety of their digital properties.

Conclusion: Protecting Your WordPress Site

The discovery of vulnerabilities in 11 Elementor addons serves as a critical reminder of the risks associated with third-party plugins. While these addons enhance the functionality and design of Elementor-powered websites, the security concerns they bring must not be ignored. Site administrators should update their plugins promptly, stay informed of any security notices, and consider professional security tools to safeguard their websites from potential attacks.

Ensuring timely updates, using Web Application Firewalls (WAF), and conducting regular security audits are crucial steps in safeguarding your web applications from vulnerabilities like CVE-2024-47366. If you’re unsure whether your site has been affected, consider consulting a WordPress security expert for a thorough audit and professional advice.

In the past also this vulnerability was found in various elementer plugins as well

Tracked as CVE-2024-32243, the issue has been promptly addressed by the plugin maintainers in version 5.7.2, released on May 11, 2024. With over a million active installations, Essential Addons for Elementor has become a target for malicious actors.

Vulnerability Details

Description: Essential Addons for Elementor <= 5.7.1 – Unauthenticated Arbitrary Password Reset to Privilege Escalation
Affected Plugin: Essential Addons for Elementor
Plugin Slug: essential-addons-for-elementor-lite
Affected Versions: <= 5.7.1
CVE ID: CVE-2024-32243
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Rafie Muhammed
Fully Patched Version: 5.7.2

Vulnerability came from observing the init hook located in the register_hooks function:

includes/Classes/Bootstrap.php
// Login | Register
add_action('init', [$this, 'login_or_register_user']);

Let’s see the login_or_register_user function that will be triggered:

includes/Traits/Login_Registration.php
public function login_or_register_user() {
 do_action( 'eael/login-register/before-processing-login-register', $_POST );
 // login or register form?
 if ( isset( $_POST['eael-login-submit'] ) ) {
 $this->log_user_in();
 } else if ( isset( $_POST['eael-register-submit'] ) ) {
 $this->register_user();
 } else if ( isset( $_POST['eael-lostpassword-submit'] ) ) {
 $this->send_password_reset();
 } else if ( isset( $_POST['eael-resetpassword-submit'] ) ) {
 $this->reset_password();
 }
 do_action( 'eael/login-register/after-processing-login-register', $_POST );
}

If specific $_POST parameters are set, the function will conduct several checks and invoke the appropriate function. The reset_password function is where the underlying vulnerability resides. According to the official commit, this affected function is only present in versions 5.4.0 and later.

includes/Traits/Login_Registration.php
public function reset_password() {
 $ajax = wp_doing_ajax();
 $page_id = 0;
 if ( ! empty( $_POST['page_id'] ) ) {
 $page_id = intval( $_POST['page_id'], 10 );
 } else {
 $err_msg = esc_html__( 'Page ID is missing', 'essential-addons-for-elementor-lite' );
 }

$widget_id = 0;
 if ( ! empty( $_POST['widget_id'] ) ) {
 $widget_id = sanitize_text_field( $_POST['widget_id'] );
 } else {
 $err_msg = esc_html__( 'Widget ID is missing', 'essential-addons-for-elementor-lite' );
 }

$rp_data = [
 'rp_key' => ! empty( $_POST['rp_key'] ) ? sanitize_text_field( $_POST['rp_key'] ) : '',
 'rp_login' => ! empty( $_POST['rp_login'] ) ? sanitize_text_field( $_POST['rp_login'] ) : '',
 ];

update_option( 'eael_resetpassword_rp_data_' . esc_attr( $widget_id ), maybe_serialize( $rp_data ), false );

update_option( 'eael_show_reset_password_on_form_submit_' . $widget_id, true, false );

if (!empty( $err_msg )){
 if ( $ajax ) {
 wp_send_json_error( $err_msg );
 }
 update_option( 'eael_resetpassword_error_' . $widget_id, $err_msg, false );

if (isset($_SERVER['HTTP_REFERER'])) {
 wp_safe_redirect($_SERVER['HTTP_REFERER']);
 exit();
 }
 }

if ( empty( $_POST['eael-resetpassword-nonce'] ) ) {
 $err_msg = esc_html__( 'Insecure form submitted without security token', 'essential-addons-for-elementor-lite' );
 if ( $ajax ) {
 wp_send_json_error( $err_msg );
 }
 update_option( 'eael_resetpassword_error_' . $widget_id, $err_msg, false );

if (isset($_SERVER['HTTP_REFERER'])) {
 wp_safe_redirect($_SERVER['HTTP_REFERER']);
 exit();
 }
 }
 if ( ! wp_verify_nonce( $_POST['eael-resetpassword-nonce'], 'essential-addons-elementor' ) ) {
 $err_msg = esc_html__( 'Security token did not match', 'essential-addons-for-elementor-lite' );
 if ( $ajax ) {
 wp_send_json_error( $err_msg );
 }
 update_option( 'eael_resetpassword_error_' . $widget_id, $err_msg, false );

if (isset($_SERVER['HTTP_REFERER'])) {
 wp_safe_redirect($_SERVER['HTTP_REFERER']);
 exit();
 }
 }
 $settings = $this->lr_get_widget_settings( $page_id, $widget_id);

if ( is_user_logged_in() ) {
 $err_msg = isset( $settings['err_loggedin'] ) ? __( Helper::eael_wp_kses( $settings['err_loggedin'] ), 'essential-addons-for-elementor-lite' ) : esc_html__( 'You are already logged in', 'essential-addons-for-elementor-lite' );
 if ( $ajax ) {
 wp_send_json_error( $err_msg );
 }
 update_option( 'eael_resetpassword_error_' . $widget_id, $err_msg, false );

if (isset($_SERVER['HTTP_REFERER'])) {
 wp_safe_redirect($_SERVER['HTTP_REFERER']);
 exit();
 }
 }

do_action( 'eael/login-register/before-resetpassword-email' );

$widget_id = ! empty( $_POST['widget_id'] ) ? sanitize_text_field( $_POST['widget_id'] ) : '';

// Check if password is one or all empty spaces.
 $errors = [];
 if ( ! empty( $_POST['eael-pass1'] ) ) {
 $post_eael_pass1 = trim( $_POST['eael-pass1'] );

if ( empty( $post_eael_pass1 ) ) {
 $errors['password_reset_empty_space'] = isset( $settings['err_pass'] ) ? __( Helper::eael_wp_kses( $settings['err_pass'] ), 'essential-addons-for-elementor-lite' ) : esc_html__( 'The password cannot be a space or all spaces.', 'essential-addons-for-elementor-lite' );
 }
 } else {
 if ( empty( $_POST['eael-pass1'] ) ) {
 $errors['password_reset_empty_space'] = isset( $settings['err_pass'] ) ? __( Helper::eael_wp_kses( $settings['err_pass'] ), 'essential-addons-for-elementor-lite' ) : esc_html__( 'The password cannot be a space or all spaces.', 'essential-addons-for-elementor-lite' );
 }
 }

if( ! empty( $_POST['eael-pass1'] ) && strlen( trim( $_POST['eael-pass1'] ) ) == 0 ){
 $errors['password_reset_empty'] = esc_html__( 'The password cannot be empty.', 'essential-addons-for-elementor-lite' );
 }
 
 // Check if password fields do not match.
 if ( ! empty( $_POST['eael-pass1'] ) && $_POST['eael-pass2'] !== $_POST['eael-pass1'] ) {
 $errors['password_reset_mismatch'] = isset( $settings['err_conf_pass'] ) ? __( Helper::eael_wp_kses( $settings['err_conf_pass'] ), 'essential-addons-for-elementor-lite' ) : esc_html__( 'The passwords do not match.', 'essential-addons-for-elementor-lite' );
 }

if ( ( ! count( $errors ) ) && isset( $_POST['eael-pass1'] ) && ! empty( $_POST['eael-pass1'] ) ) {
 $rp_login = isset( $_POST['rp_login']) ? sanitize_text_field( $_POST['rp_login'] ) : '';
 $user = get_user_by( 'login', $rp_login );
 
 if( $user || ! is_wp_error( $user ) ){
 reset_password( $user, sanitize_text_field( $_POST['eael-pass1'] ) );

To prevent the $err_msg from being set, we need to assign a random value to $_POST[‘page_id’] and $_POST[‘widget_id’]. Additionally, we must set $_POST[‘eael-resetpassword-nonce’] as the code verifies the nonce value. To successfully set the password, both $_POST[‘eael-pass1’] and $_POST[‘eael-pass2’] should contain the same password string, as it undergoes a validation check.

Once all the above conditions are met, the code will generate a $rp_login variable based on the value stored in $_POST[‘rp_login’]. Using the get_user_by function, the code will then create a $user object by searching for a matching login (username) value that corresponds to $rp_login.

If the $user object exists and no errors are encountered, the code will proceed to reset the user’s password using the reset_password function.

Now, the question arises as to how we can obtain the essential-addons-elementor nonce value. Interestingly, this nonce value can be found on the main front-end page of the WordPress site since it is assigned in the $this->localize_objects variable through the load_common_asset function.

includes/Classes/Asset_Builder.php
// localize object
$this->localize_objects = apply_filters( 'eael/localize_objects', [
'ajaxurl' => admin_url( 'admin-ajax.php' ),
'nonce' => wp_create_nonce( 'essential-addons-elementor' ),

In the frontend_asset_load function, the object used for the wp_localize_script call will be the $this->localize_objects variable.

The purpose of the $this->localize_objects variable in the frontend_asset_load function is to serve as the object for the wp_localize_script call.

includes/Classes/Asset_Builder.php
public function frontend_asset_load() {
 $handle = 'eael';
 $this->post_id = get_the_ID();

$this->elements_manager->get_element_list( $this->post_id );
 $this->load_commnon_asset();
 $this->register_script();

------------------------------------------------------------------------

wp_localize_script( $handle, 'localize', $this->localize_objects );
}

Unauthenticated Privilege Escalation Vulnerability

According to Rafie Muhammad, a researcher at Patchstack, the plugin suffers from an unauthenticated privilege escalation vulnerability. This flaw enables any unauthorized user to escalate their privileges to match those of any user on the WordPress site.

Exploiting this vulnerability successfully could allow threat actors to reset the password of any user, as long as they possess the knowledge of the targeted user’s username. The flaw is believed to have existed since version 5.4.0.

24/7 WP Security & Malware Removal
Is your site hacked or infected with malware? Let us get it fixed for you
Secure My Website(s)