CVE-2024-37945

Vulnerability

Overview

The WPBITS Addons For Elementor Page Builder plugin for WordPress versions up to and including 1.5 suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The root cause is improper neutralization of user-supplied input during web page generation, allowing malicious scripts to be stored and executed when other users visit affected pages [1].

Exploitation

Details

Exploitation requires a privileged user (e.g., an editor or administrator) to inject a crafted payload through the plugin's input fields. The attacker does not need direct access to the server but must have a role that can add or edit content using the Elementor builder. Successful exploitation occurs when the stored script is rendered in a visitor's browser, typically without requiring any additional user interaction beyond normal page viewing [1].

Impact

An attacker can inject arbitrary JavaScript, HTML, or other client-side code. This can be used to redirect visitors to malicious sites, display unauthorized advertisements, steal session cookies, or perform other actions within the security context of the victim's browser. The vulnerability is rated as Medium severity (CVSS 6.5) and is considered low risk for exploitation, though it could be used in mass campaigns targeting multiple WordPress sites [1].

Mitigation

The vendor has released version 1.5.1 which fixes the issue. Users are strongly advised to update to this version or later. Patchstack users can enable auto-updates for vulnerable plugins. No workarounds are documented, so updating is the recommended course of action [1].