Over 7 Million Websites Affected by Popular WordPress Plugin
Multiple cross-site scripting vulnerabilities were found in Elementor WordPress Plugin, enabling a full site takeover.
On February 23rd, security researchers at Wordfence disclosed a set of vulnerabilities in WordPress’ Elementor plugin which affected more than 7 million websites. The exploit is designated as a Stored Cross-Site Scripting (XSS) vulnerability and has the ability to allow attackers to take full control of a website.
According to our Cybersecurity Glossary,
A Cross-site scripting (XSS) is a software vulnerability usually found in Web applications. This XSS allows online criminals to inject client-side script into pages that other users view. The cross-site scripting vulnerability can be employed at the same time by attackers to over-write access controls. This issue can become a significant security risk unless the network administrator or the website owner doesn’t take the necessary security means.
The researchers discovered that a number of HTML elements such as Heading, Column, Accordion, Icon Box, and Image Box were vulnerable to the stored XSS attack, which makes it possible for anyone to access the Elementor plugin and add an executable JavaScript.
Since the vulnerabilities exploit the fact that dynamic data listed in a template could be used to include malicious scripts intended to launch XSS attacks, such behavior can be blocked by validating the input and escaping the output data. This way, the HTML tags passed as inputs are delivered harmless.
Elementor is a wildly popular editor plugin that allows content creators, including contributors, the ability to visually design websites using “elements” that can be added to any location on the page being built. Many of these elements offer the option to set an HTML tag for the content within. For example, the “Heading” element can be set to use H1, H2, H3, etc. tags in order to apply different heading sizes via the header_size parameter. Unfortunately, for six of these elements, the HTML tags were not validated on the server side, so it was possible for any user able to access the Elementor editor, including contributors, to use this option to add executable JavaScript to a post or page via a crafted request.
Additionally, a remote code execution (RCE) vulnerability was discovered in WP Super Cache, the static caching plugin for WordPress. The RCE could allow a threat actor to upload and execute malicious code with the goal of gaining complete control of the website. Reportedly, the plugin is used on more than two million WordPress websites.
In light of recent events, Elementor has patched these vulnerabilities in version 3.1.4, and they strongly recommend all users to update to the latest version available, which is 3.1.4 at the time of publication, to mitigate the risk associated with the flaws.