CVE-2024-9868

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Nov 2, 2024 / Updated: 18d ago

010
CVSS 5.4EPSS 0.05%Medium
CVE info copied to clipboard

Summary

The Element Pack Elementor Addons plugin for WordPress contains a Stored Cross-Site Scripting vulnerability in the Age Gate Widget 'url' parameter. This vulnerability affects all versions up to and including 5.10.1 due to insufficient input sanitization and output escaping.

Impact

This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These injected scripts will execute whenever a user accesses the affected page. This can lead to various attacks, including theft of sensitive information, session hijacking, or malicious actions performed on behalf of the victim. The impact is considered low for both confidentiality and integrity, with no direct impact on availability. The attack complexity is low, but it does require user interaction.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been addressed in version 5.10.2 of the Element Pack Elementor Addons plugin. The fix was committed to the WordPress plugin repository on November 4, 2024.

Mitigation

1. Update the Element Pack Elementor Addons plugin to version 5.10.2 or later. 2. If immediate updating is not possible, consider temporarily disabling the Age Gate Widget feature. 3. Implement strong input validation and output encoding practices for all user-supplied input, especially in the Age Gate Widget. 4. Review and limit user roles and permissions, ensuring only trusted users have Contributor-level access or higher. 5. Regularly audit and monitor for any suspicious activities or unauthorized changes in pages using the Element Pack plugin. 6. Educate users about the risks of XSS attacks and the importance of not clicking on suspicious links or interacting with untrusted content.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9868

Nov 2, 2024 at 2:15 AM
CVSS

A CVSS base score of 5.4 has been assigned.

Nov 2, 2024 at 2:20 AM / nvd
First Article

Feedly found the first article mentioning CVE-2024-9868. See article

Nov 2, 2024 at 2:24 AM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Nov 2, 2024 at 2:24 AM
EPSS

EPSS Score was set to: 0.05% (Percentile: 15.1%)

Nov 2, 2024 at 10:05 AM
Static CVE Timeline Graph

Affected Systems

Bdthemes/element_pack
+null more

Patches

plugins.trac.wordpress.org
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

News

US-CERT Vulnerability Summary for the Week of October 28, 2024
abdullahirfan — documentpress Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Abdullah Irfan DocumentPress allows Reflected XSS.This issue affects DocumentPress: from n/a through 2.1. 2024-10-29 6.1 CVE-2024-49656 [email protected] abdullahirfan — whitelist Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Abdullah Irfan Whitelist allows Reflected XSS.This issue affects Whitelist: from n/a through 3.5. 2024-10-29 6.1 CVE-2024-49643 [email protected] AffiliateX–AffiliateX Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in AffiliateX allows Stored XSS.This issue affects AffiliateX: from n/a through 1.2.9. 2024-10-29 6.5 CVE-2024-49692 [email protected] Ahmed Kaludi, Mohammed Kaludi–AMP for WP Missing Authorization vulnerability in Ahmed Kaludi, Mohammed Kaludi AMP for WP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AMP for WP: from n/a through 1.0.96.1. 2024-11-01 6.3 CVE-2024-43146 [email protected] Alex Volkov–WP Accessibility Helper (WAH) Missing Authorization vulnerability in Alex Volkov WP Accessibility Helper (WAH) allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP Accessibility Helper (WAH): from n/a through 0.6.2.9.
Update Sun Nov 3 14:28:56 UTC 2024
Update Sun Nov 3 14:28:56 UTC 2024
RedPacketSec: CVE Alert: CVE-2024-9868 – https://t.co/hXYvlhGt1T #OSINT #ThreatIntel #CyberSecurity #cve_2024_9868
CVE Alert: CVE-2024-9868 – https://t.co/hXYvlhGt1T #OSINT #ThreatIntel #CyberSecurity #cve_2024_9868 — RedPacket Security (@RedPacketSec) November 3, 2024 The post RedPacketSec: CVE Alert: CVE-2024-9868 – https://t.co/hXYvlhGt1T #OSINT #ThreatIntel #CyberSecurity #cve_2024_9868 first appeared on JOSSICA - jossica.com .
CVE Alert: CVE-2024-9868 - https://www. redpacketsecurity.com/cve_aler t_cve-2024-9868/ # OSINT # ThreatIntel # CyberSecurity # cve_2024_9868
Medium - CVE-2024-9868 - The Element Pack Elementor Addons (Header...
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Age Gate Widget...
See 10 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:Required
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI