CVE-2024-11601: Sky Addons For Elementor CSRF Vulnerability

CVE-2024-11601 Overview

The Sky Addons for Elementor plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability affecting all versions up to and including 2.6.1. The flaw stems from missing or incorrect nonce validation in the save_options() function. Unauthenticated attackers can update arbitrary WordPress options by tricking an administrator into clicking a crafted link. Exploitation is constrained to option values that can be saved as arrays. The plugin ships features such as the Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, and Video Gallery.

Critical Impact
Successful exploitation enables unauthenticated attackers to modify arbitrary WordPress options that accept array values, leading to integrity and availability impact on affected sites.

Affected Products

Wowdevs Sky Addons for Elementor (Free) — all versions through 2.6.1
WordPress sites with the plugin installed and active
Administrator accounts targeted via social engineering vectors

Discovery Timeline

2024-11-22 - CVE-2024-11601 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-11601

Vulnerability Analysis

The vulnerability is a Cross-Site Request Forgery flaw [CWE-352] combined with missing authorization [CWE-862] in the plugin's administrative options handler. The save_options() function in includes/admin.php does not properly validate a WordPress nonce before processing incoming requests. As a result, the endpoint cannot distinguish between legitimate administrator actions and forged requests originating from external sites. An attacker who lures an authenticated administrator to a malicious page can cause the browser to submit an authenticated request that mutates plugin and site options. The scope of writable options is limited to those whose values are stored as arrays, but this still allows tampering with site configuration data.

Root Cause

The root cause is the absence of a wp_verify_nonce() (or check_admin_referer()) check before invoking the option-save routine. WordPress provides nonce primitives specifically to defend state-changing endpoints, and omitting them removes the only barrier between cross-origin requests and privileged actions.

Attack Vector

The attack vector is network-based and requires user interaction. An attacker hosts a page containing an auto-submitting form or image tag that issues a request to the vulnerable admin endpoint on a target WordPress site. When a logged-in administrator visits the attacker-controlled page, the browser includes the administrator's session cookies, and the server processes the forged request as authentic. No prior authentication on the target site is required from the attacker.

No verified public proof-of-concept code is available. See the Wordfence Vulnerability Analysis and the vulnerable function in admin.php for technical details.

Detection Methods for CVE-2024-11601

Indicators of Compromise

Unexpected changes to WordPress option values stored as arrays in the wp_options table
HTTP POST requests to the plugin's admin-ajax or admin endpoint with Referer headers pointing to external domains
Administrator session activity originating from unusual geographic locations or user agents shortly before option changes
Presence of Sky Addons for Elementor plugin at version 2.6.1 or earlier

Detection Strategies

Inspect web server access logs for requests to the plugin's option-save handler that lack a valid _wpnonce parameter
Audit wp_options table modifications and correlate timestamps with administrator browsing activity
Compare installed plugin versions against the patched release across the WordPress estate

Monitoring Recommendations

Forward WordPress admin and web server logs into a centralized SIEM or data lake for correlation across hosts
Alert on cross-origin Referer headers targeting /wp-admin/ endpoints from authenticated sessions
Monitor file integrity for plugin files under wp-content/plugins/sky-elementor-addons/

How to Mitigate CVE-2024-11601

Immediate Actions Required

Update Sky Addons for Elementor to a version newer than 2.6.1 that includes the nonce validation fix
Audit wp_options entries for unauthorized modifications since the plugin was installed
Require administrators to log out of WordPress before browsing untrusted sites and to use a dedicated browser profile for admin tasks
Enforce least-privilege role assignment so that fewer accounts hold the manage_options capability

Patch Information

The vendor addressed the issue in the plugin's WordPress.org repository. Review the plugin changeset for the corrective commit that introduces nonce validation around the save_options() handler. Apply the latest available version from the WordPress plugin directory.

Workarounds

Deactivate and remove the Sky Addons for Elementor plugin until the patched version can be deployed
Deploy a Web Application Firewall (WAF) rule that blocks requests to the plugin admin endpoint lacking a valid _wpnonce parameter or with off-site Referer headers
Restrict administrative access to the WordPress dashboard by IP allowlist at the reverse proxy or hosting layer

bash

# Configuration example: list installed plugin version via WP-CLI
wp plugin get sky-elementor-addons --field=version
wp plugin update sky-elementor-addons