Security researchers at Wordfence have discovered a Cross-Site Scripting (XSS) vulnerability on the WordPress page builder plugin Elementor. The bug can enable a full site takeover and affects over seven million websites.
XSS is a type of vulnerability that allows attackers to upload malicious scripts that can be executed by anyone who visits the compromised website. Such scripts can be used for a number of operations, including stealing cookies and exfiltrating passwords and usernames
Elementors had been made aware of the security bug upon its discovery on February 23, 2021. The company has acknowledged the problem and provided a fix with Elementor version 3.1.2., with additional fixes being later introduced with version 3.1.4.
About the Elementor Vulnerability Attack
Researchers explain that the security bug could be quite dangerous as posts are typically reviewed by high-level privilege users such as editors and administrators before publishing. If a high-privilege user executes the malicious script, the exploit could create a new malicious administrator or add a backdoor to the site, allowing the attacker to take over the website
- Icon Box
- Image Box
The attack flow is quite simple. Researchers explain that as multiple Elementor elements, the Column element, for example, accept html_tag parameter, such parameter could be changed to an inline script with a remote source, or it could be attacked with an attribute-based XSS.
According to Wordfence, while escaping output HTML tags might prevent some of these components from being exploited, mere output escaping is not sufficient to prevent exploits from occurring
The researchers illustrate this insufficiency in the “Heading” element, which will not be protected by escaping the output of the header_size parameter because the heading text is nested immediately inside the header_size tag. As such, the header_size parameter could be set to script, which would allow attackers to add malicious JavaScrip to it
Therefore, researchers recommend Elementor users to validate input in addition to escaping output. In fact, the patched version of Elementor uses this same approach to correct the issue.
Time for Update
It is recommended that all Elementor users update their software to at least version 3.1.4 as it includes the required security fixes.