CVE-2024-35660 Overview
CVE-2024-35660 is a Missing Authorization vulnerability affecting the Master Addons for Elementor WordPress plugin developed by Jewel Theme. This security flaw allows unauthenticated attackers to access protected API endpoints without proper authorization checks, potentially leading to unauthorized data access, modification, or complete site compromise.
Critical Impact
This broken access control vulnerability on API endpoints allows unauthenticated remote attackers to bypass authorization mechanisms, potentially gaining full control over WordPress sites running vulnerable versions of Master Addons for Elementor.
Affected Products
- Master Addons for Elementor versions from n/a through 2.0.5.4.1
- WordPress installations using the vulnerable plugin versions
- Sites utilizing Elementor page builder with Master Addons extension
Discovery Timeline
- 2024-06-09 - CVE-2024-35660 published to NVD
- 2024-11-26 - Last updated in NVD database
Technical Details for CVE-2024-35660
Vulnerability Analysis
This vulnerability stems from a Missing Authorization weakness (CWE-862) in the Master Addons for Elementor plugin. The affected component fails to implement proper authorization checks on API endpoints, allowing any user—including unauthenticated visitors—to interact with protected functionality that should require elevated privileges.
The vulnerability is particularly severe because it can be exploited remotely over the network without any user interaction or prior authentication. An attacker can leverage this broken access control to perform actions that should be restricted to authenticated administrators, potentially compromising the confidentiality, integrity, and availability of the WordPress installation.
Root Cause
The root cause is the absence of capability checks or nonce verification on sensitive API endpoints within the Master Addons for Elementor plugin. WordPress plugins should verify user capabilities using functions like current_user_can() and validate nonces to ensure requests originate from authorized users. The vulnerable code paths in versions up to 2.0.5.4.1 fail to implement these essential security controls, leaving the API endpoints exposed to unauthorized access.
Attack Vector
The attack vector for CVE-2024-35660 is network-based, requiring no authentication or user interaction. An attacker can directly send crafted HTTP requests to the vulnerable API endpoints exposed by the Master Addons plugin. Since no authorization checks are performed, the attacker's requests are processed as if they originated from a privileged user.
The exploitation scenario involves identifying the vulnerable API endpoints and crafting requests that manipulate plugin settings, access sensitive data, or perform administrative actions. For detailed technical analysis of the vulnerable endpoints, refer to the Patchstack Vulnerability Analysis.
Detection Methods for CVE-2024-35660
Indicators of Compromise
- Unexpected changes to Master Addons plugin settings or configurations
- Anomalous API requests to WordPress REST API endpoints associated with the Master Addons plugin
- Unauthorized modifications to Elementor page content or templates
- Unusual user account creation or privilege changes coinciding with plugin activity
Detection Strategies
- Monitor WordPress access logs for suspicious requests to Master Addons API endpoints from unauthenticated sources
- Implement Web Application Firewall (WAF) rules to detect and block unauthorized API access patterns
- Review plugin configuration changes and audit logs for unauthorized modifications
- Deploy file integrity monitoring to detect unexpected changes to plugin files or WordPress database entries
Monitoring Recommendations
- Enable detailed logging for WordPress REST API requests and filter for Master Addons-related endpoints
- Configure alerting for any API requests that bypass normal authentication flows
- Regularly audit installed plugin versions against known vulnerability databases
- Implement anomaly detection for unusual patterns in WordPress administrative actions
How to Mitigate CVE-2024-35660
Immediate Actions Required
- Update Master Addons for Elementor plugin to a version newer than 2.0.5.4.1 immediately
- Review WordPress site for any signs of compromise or unauthorized changes
- Temporarily disable the plugin if an update is not immediately available
- Implement a WAF rule to block unauthenticated requests to Master Addons API endpoints as a temporary measure
Patch Information
Site administrators should update the Master Addons for Elementor plugin through the WordPress admin dashboard or by manually downloading the latest version from the official WordPress plugin repository. Ensure that the installed version is newer than 2.0.5.4.1 to address this vulnerability. Verify the update by checking the plugin version in the WordPress Plugins menu after installation.
Workarounds
- Disable the Master Addons for Elementor plugin until a patched version can be installed
- Implement server-level access controls to restrict API endpoint access to authenticated users only
- Use a security plugin or WAF to add authorization requirements to vulnerable endpoints
- Restrict access to the WordPress REST API at the web server configuration level as a temporary measure
# Example: Block unauthenticated access to WordPress REST API (Apache .htaccess)
# Add to .htaccess in WordPress root directory
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/master-addons/ [NC]
RewriteCond %{HTTP_COOKIE} !wordpress_logged_in [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
