WordPress Elementor Vulnerability Affects +7 Million

Security researchers at Wordfence discovered a vulnerability on sites built with Elementor. The exploit is a type designated as a Stored Cross-site Scripting (XSS) vulnerability.  It has the potential to enable attackers to seize control of a website.

Stored Cross Site Vulnerability

Cross Site Scripting (XSS) is a type of vulnerability where an attacker uploads a malicious script that will then be executed by anyone who visits the web page where the script is displayed to the browser.

The script can do any number of things like steal cookies, password credentials and so on.

This particular version of XSS exploit is called a Stored Cross Site Scripting vulnerability because it is stored on the website itself.

The other kind of XSS is called a Reflected Cross Site Scripting, which depends on a link being clicked (like through an email).

Stored Cross Site Scripting is has the greater potential to do harm because it can attack any visitor to a web page.

Stored XSS Elementor Exploit

The stored XSS vulnerability affecting Elementor can be used to steal administrator credentials. The attacker must however first obtain a publishing level WordPress user role, even the lowest Contributor level can initiate the attack.

Contributor level WordPress role is a low level of registered user that can read, publish, edit and delete their own articles on a website. They cannot however upload media files like images.

How the Elementor Vulnerability Attack Works

The vulnerability exploits a loophole that allows an attacker the ability to upload a malicious script within the editing screen.

The loophole existed in six Elementor components:

  1. Accordion
  2. Icon Box
  3. Image Box
  4. Heading
  5. Divider
  6. Column

Wordfence explained how attackers exploit these components:

“Many of these elements offer the option to set an HTML tag for the content within. For example, the “Heading” element can be set to use H1, H2, H3, etc. tags in order to apply different heading sizes via the header_size parameter.

Unfortunately, for six of these elements, the HTML tags were not validated on the server side, so it was possible for any user able to access the Elementor editor, including contributors, to use this option to add executable JavaScript to a post or page via a crafted request.”

Once the script was uploaded any visitor to the web page, even if it’s the editor previewing the page before publishing, could execute the code in the browser and have their authenticated session made available to the attacker.

Update Elementor Now

It is recommended by Wordfence that all users of Elementor update their version to at least 3.1.4 (per Wordfence) although the official Elementor Pro changeglog states that there’s a security fix.

A changelog is a software developer’s official record of changes to every version of the software.

It may be prudent to update to the very latest version available, as Elementor Pro 3.2.0 fixes a security issue:

“Sanitized options in the editor to enforce better security policies”

Citations

Official Wordfence Announcement:
Cross-Site Scripting Vulnerabilities in Elementor Impact Over 7 Million Sites

Elementor Pro Changelog

#