WordPress Elementor Vulnerability Puts at Risk 7 Million Websites

Security researchers at Wordfence have discovered a Cross-Site Scripting (XSS) vulnerability on the WordPress page builder plugin Elementor. The bug can enable a full site takeover and affects over seven million websites.

XSS is a type of vulnerability that allows attackers to upload malicious scripts that can be executed by anyone who visits the compromised website. Such scripts can be used for a number of operations, including stealing cookies and exfiltrating passwords and usernames

Elementors had been made aware of the security bug upon its discovery on February 23, 2021. The company has acknowledged the problem and provided a fix with Elementor version 3.1.2., with additional fixes being later introduced with version 3.1.4. 

About the Elementor Vulnerability Attack

The vulnerability exploits a loophole that allows attackers to upload malicious JavaScript scripts through the editing screen. The script will then execute when another user, be it a contributor or editor, open the compromised post

Researchers explain that the security bug could be quite dangerous as posts are typically reviewed by high-level privilege users such as editors and administrators before publishing. If a high-privilege user executes the malicious script, the exploit could create a new malicious administrator or add a backdoor to the site, allowing the attacker to take over the website

The malicious JavaScript could be added in multiple ways depending on the target Elementor element. Wordfence found the following six Elementor components to be vulnerable to the attack:

  1. Accordion
  2. Icon Box
  3. Image Box
  4. Heading
  5. Divider
  6. Column 

The attack flow is quite simple. Researchers explain that as multiple Elementor elements, the Column element, for example, accept html_tag parameter, such parameter could be changed to an inline script with a remote source, or it could be attacked with an attribute-based XSS.

According to Wordfence, while escaping output HTML tags might prevent some of these components from being exploited, mere output escaping is not sufficient to prevent exploits from occurring

The researchers illustrate this insufficiency in the “Heading” element, which will not be protected by escaping the output of the header_size parameter because the heading text is nested immediately inside the header_size tag. As such, the header_size parameter could be set to script, which would allow attackers to add malicious JavaScrip to it

Therefore, researchers recommend Elementor users to validate input in addition to escaping output. In fact, the patched version of Elementor uses this same approach to correct the issue. 

Time for Update

It is recommended that all Elementor users update their software to at least version 3.1.4 as it includes the required security fixes. 

Show More

Reactionary Times News Desk

All breaking news stories that matter to America. The News Desk is covered by the sharpest eyes in news media, as they decipher fact from fiction.

Previous/Next Posts

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button