CVE-2024-0767 in Elementor Templates & Widgets for WooCommerce Plugin
Summary
by MITRE • 02/28/2024
The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.4. This is due to missing or incorrect nonce validation on the ajax_plugin_activation function. This makes it possible for unauthenticated attackers to activate arbitrary installed plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/18/2025
The vulnerability identified as CVE-2024-0767 affects the Envo's Elementor Templates & Widgets for WooCommerce plugin, which is a popular WordPress extension designed to enhance e-commerce functionality through Elementor page builder integration. This plugin serves as a bridge between WooCommerce and Elementor, allowing users to create sophisticated product pages and shop layouts. The vulnerability exists within version 1.4.4 and all earlier releases, representing a critical security weakness that could compromise WordPress sites relying on this plugin for their online store operations.
The technical flaw manifests in the ajax_plugin_activation function where nonce validation is either completely absent or implemented incorrectly. Nonce validation serves as a cryptographic token that ensures requests originate from legitimate sources within the WordPress ecosystem. When this validation mechanism fails, attackers can craft malicious requests that appear to come from authenticated administrators. The vulnerability specifically targets the plugin activation functionality, allowing unauthorized parties to enable or disable plugins without proper authorization, which could lead to significant system compromise through the installation of malicious code or the exploitation of other plugin vulnerabilities.
The operational impact of this Cross-Site Request Forgery vulnerability is particularly severe as it requires only a simple social engineering attack to exploit. An attacker can construct a malicious link or embedded content that, when clicked by an administrator, triggers the activation of arbitrary plugins on the target site. This attack vector is especially dangerous because it leverages the administrator's existing privileges and trust relationship with the WordPress system. Once a malicious plugin is activated, it can potentially provide persistent access, data exfiltration capabilities, or serve as a foothold for further attacks within the WordPress environment. The vulnerability affects all WordPress installations using the affected plugin version, regardless of the underlying WordPress core version or hosting configuration.
Security practitioners should immediately implement mitigations including updating to the latest available version of the Envo's Elementor Templates & Widgets for WooCommerce plugin, which should contain proper nonce validation. Organizations should also consider implementing additional security measures such as monitoring for unauthorized plugin activations, restricting administrative privileges to essential personnel only, and conducting regular security audits of installed plugins. The vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses, and could be categorized under ATT&CK technique T1059.001 for command and scripting interpreter usage in exploitation. Organizations should also consider implementing Web Application Firewalls and Content Security Policies to help detect and prevent such attacks, while maintaining comprehensive monitoring of plugin activation events to identify potential unauthorized modifications to the WordPress installation.