CVE-2024-3680 in Enter Addons Plugininfo

Summary

by MITRE • 05/14/2024

The Enter Addons – Ultimate Template Builder for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Animation Title widget's img tag in all versions up to, and including, 2.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 03/31/2025

The Enter Addons – Ultimate Template Builder for Elementor plugin presents a critical stored cross-site scripting vulnerability that affects WordPress environments running versions up to and including 2.1.5. This vulnerability specifically targets the Animation Title widget's img tag implementation, creating a persistent security flaw that can be exploited by authenticated attackers possessing contributor-level privileges or higher. The vulnerability stems from inadequate input sanitization measures and insufficient output escaping mechanisms within the plugin's codebase, allowing malicious actors to inject malicious scripts that persist in the database and execute whenever affected pages are accessed by unsuspecting users.

The technical exploitation of this vulnerability occurs through the manipulation of the Animation Title widget's img tag parameter, where user-supplied input fails to undergo proper sanitization before being stored in the WordPress database. When administrators or other privileged users subsequently view pages containing the maliciously injected content, the stored scripts execute in their browsers, potentially enabling attackers to perform actions on behalf of victims, steal session cookies, or redirect users to malicious websites. This stored XSS vulnerability operates at the application layer and represents a direct violation of secure coding principles, as it fails to properly validate and escape user input before rendering it in web pages.

The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with a persistent foothold within WordPress installations. Contributors and higher-level users typically have significant privileges within WordPress environments, including the ability to create and modify content, which means that a successful exploitation could allow attackers to compromise entire websites. The vulnerability's persistence means that malicious scripts remain active until manually removed from the database, potentially affecting multiple users over extended periods. This makes the vulnerability particularly dangerous in multi-user environments where contributors may have access to sensitive content or administrative functions.

Security professionals should prioritize immediate patching of affected installations, as the vulnerability requires only contributor-level access to exploit effectively. Organizations should implement comprehensive input validation mechanisms and output escaping procedures to prevent similar issues in the future, following established security frameworks such as those outlined in the OWASP Top Ten and CWE-79. The ATT&CK framework categorizes this vulnerability under the T1059.007 technique for 'Command and Scripting Interpreter: JavaScript' as it enables attackers to execute malicious JavaScript code within victim browsers. Additionally, implementing proper role-based access controls and regular security audits can help mitigate the risk of such vulnerabilities being exploited, while maintaining proper logging and monitoring of user activities within WordPress environments.

Reservation

04/11/2024

Disclosure

05/14/2024

Moderation

accepted

CPE

ready

EPSS

0.00429

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!