📄 الوصف (الإنجليزية)
The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'carousel_direction' parameter of the Carousel Anything widget in versions up to, and including, 6.4.15 This is due to insufficient output escaping in the render() function, where the carousel_direction value is placed into an unquoted HTML attribute (dir=) allowing attribute injection despite the use of esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
🤖 ملخص AI
The Plus Addons for Elementor plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in the Carousel Anything widget affecting versions up to 6.4.15. Authenticated attackers with contributor-level access can inject malicious scripts through the 'carousel_direction' parameter due to improper output escaping in unquoted HTML attributes. While currently unpatched, the vulnerability requires authenticated access, limiting immediate risk but posing significant threats to WordPress sites with multiple user roles.
📄 الوصف (العربية)
🤖 التحليل الذكي آخر تحليل: May 30, 2026 10:18
🇸🇦 التأثير على المملكة العربية السعودية
Saudi organizations using WordPress with Plus Addons for Elementor face moderate risk, particularly in government digital transformation initiatives, banking sector websites, healthcare portals, and e-commerce platforms. Government agencies (under NCA oversight) and ARAMCO subsidiaries using WordPress for internal or external communications are at risk. The vulnerability primarily affects organizations with multiple contributor-level users, common in large enterprises and government entities managing content across multiple departments. Compromised sites could lead to credential theft, malware distribution, or defacement affecting public trust in Saudi digital services.
🏢 القطاعات السعودية المتأثرة
Government & Public Administration
Banking & Financial Services
Healthcare & Medical Services
Energy & Utilities
Telecommunications
E-commerce & Retail
Education
Media & Publishing
🎯 تقنيات MITRE ATT&CK
⚖️ درجة المخاطر السعودية (AI)
5.8
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Audit all WordPress installations using Plus Addons for Elementor plugin version 6.4.15 or earlier
2. Review user access logs for suspicious carousel widget modifications by contributor-level accounts
3. Restrict contributor-level permissions to Elementor editing until patch is available
4. Disable the Carousel Anything widget if not actively used
Compensating Controls:
1. Implement Web Application Firewall (WAF) rules to detect and block XSS payloads in carousel_direction parameters
2. Apply Content Security Policy (CSP) headers to prevent inline script execution
3. Enable WordPress security plugins with XSS detection capabilities
4. Implement strict input validation on all Elementor widget parameters at application level
5. Monitor page modifications and implement change detection alerts
Detection Rules:
1. Monitor database queries for carousel_direction parameters containing script tags or event handlers
2. Alert on any modifications to pages containing Carousel Anything widgets by contributor accounts
3. Log and review all Elementor widget configuration changes
4. Implement IDS/IPS signatures for XSS patterns in HTTP POST requests to wp-admin
Patching:
1. Contact Plus Addons developers for security patch timeline
2. Prepare upgrade plan for when patch becomes available
3. Test patch in staging environment before production deployment
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع تثبيتات WordPress التي تستخدم مكون Plus Addons for Elementor الإصدار 6.4.15 أو أقدم
2. مراجعة سجلات وصول المستخدمين للتعديلات المريبة على أداة carousel من قبل حسابات على مستوى المساهم
3. تقييد أذونات المساهمين لتحرير Elementor حتى يتوفر التصحيح
4. تعطيل أداة Carousel Anything إذا لم تكن قيد الاستخدام النشط
الضوابط التعويضية:
1. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) للكشف عن حمولات XSS وحجبها في معاملات carousel_direction
2. تطبيق رؤوس سياسة أمان المحتوى (CSP) لمنع تنفيذ البرامج النصية المضمنة
3. تفعيل مكونات أمان WordPress مع قدرات الكشف عن XSS
4. تنفيذ التحقق الصارم من الإدخال على جميع معاملات أداة Elementor على مستوى التطبيق
5. مراقبة تعديلات الصفحات وتنفيذ تنبيهات الكشف عن التغييرات
قواعد الكشف:
1. مراقبة استعلامات قاعدة البيانات لمعاملات carousel_direction التي تحتوي على علامات البرامج النصية أو معالجات الأحداث
2. التنبيه على أي تعديلات على الصفحات التي تحتوي على أدوات Carousel Anything من قبل حسابات المساهمين
3. تسجيل ومراجعة جميع تغييرات إعدادات أداة Elementor
4. تنفيذ توقيعات IDS/IPS لأنماط XSS في طلبات HTTP POST إلى wp-admin
التصحيح:
1. الاتصال بمطوري Plus Addons للحصول على جدول زمني لتصحيح الأمان
2. إعداد خطة ترقية عند توفر التصحيح
3. اختبار التصحيح في بيئة التطوير قبل نشره في الإنتاج
📋 خريطة الامتثال التنظيمي
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for supplier relationships
ECC 2024 A.14.2.5 - Addressing information security in supplier agreements
ECC 2024 A.6.1.1 - Information security roles and responsibilities
ECC 2024 A.5.1.1 - Policies for information security
🔵 SAMA CSF
Governance & Risk Management - Third-party risk management
Information & Cybersecurity - Application security and secure development
Information & Cybersecurity - Vulnerability management
Resilience - Incident response and recovery
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1 - Policies for information security
ISO 27001:2022 A.6.1 - Organization of information security
ISO 27001:2022 A.8.1 - User endpoint devices
ISO 27001:2022 A.14.2 - Supplier relationships
ISO 27001:2022 A.14.2.5 - Information security in supplier agreements
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Ensure all system components and software are protected from known vulnerabilities
PCI DSS 6.5.7 - Cross-site scripting (XSS)
PCI DSS 12.3 - Establish information security policy
🔗 المراجع والمصادر 4
🔗
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/t...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/t...
security@wordfence.com
https://plugins.trac.wordpress.org/changeset?old_path=%2Fthe-plus-addons-for-elementor-...
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/699e41ad-1991-4100-9ef2-caea7...
security@wordfence.com