Over 7 Million Websites Affected by Popular WordPress Plugin
Multiple cross-site scripting vulnerabilities were found in Elementor WordPress Plugin, enabling a full site takeover.
On February 23rd, security researchers at Wordfence disclosed a set of vulnerabilities in WordPress’ Elementor plugin which affected more than 7 million websites. The exploit is designated as a Stored Cross-Site Scripting (XSS) vulnerability and has the ability to allow attackers to take full control of a website.
According to our Cybersecurity Glossary,
A Cross-site scripting (XSS) is a software vulnerability usually found in Web applications. This XSS allows online criminals to inject client-side script into pages that other users view. The cross-site scripting vulnerability can be employed at the same time by attackers to over-write access controls. This issue can become a significant security risk unless the network administrator or the website owner doesn’t take the necessary security means.
Since the vulnerabilities exploit the fact that dynamic data listed in a template could be used to include malicious scripts intended to launch XSS attacks, such behavior can be blocked by validating the input and escaping the output data. This way, the HTML tags passed as inputs are delivered harmless.
Additionally, a remote code execution (RCE) vulnerability was discovered in WP Super Cache, the static caching plugin for WordPress. The RCE could allow a threat actor to upload and execute malicious code with the goal of gaining complete control of the website. Reportedly, the plugin is used on more than two million WordPress websites.
In light of recent events, Elementor has patched these vulnerabilities in version 3.1.4, and they strongly recommend all users to update to the latest version available, which is 3.1.4 at the time of publication, to mitigate the risk associated with the flaws.