Starter Templates — Elementor, Gutenberg & Beaver Builder Templates plugin by the publishers of the Astra WordPress theme contains a vulnerability affecting over a million websites. The exploit allows an attacker to upload malicious scripts, stage a total site takeover and attack visitors to the vulnerable website.
Starter Templates — Elementor, Gutenberg & Beaver Builder Templates
The Starter Templates plugin is published by Brainstorm Force, the makers of the wildly popular Astra WordPress theme. The plugin allows users to use over 280 WordPress templates that help speed up website development.
The templates are made to be compatible with Elementor, Gutenberg, Brizy and Beaver Builder, as well as with the Astra theme.
The plugin is installed in over one million websites.
Stored Cross Site Scripting (XSS) Vulnerability
The Starter Templates plugin by Brainstorm Force was discovered by security researchers at Wordfence to contain a type of vulnerability that allows an attacker to upload a malicious script that is in turn stored on the website itself.
A Stored XSS vulnerability is particularly troublesome because the uploaded script is stored on the server of the attacked site itself.
The non-profit Open Web Application Security Project (OWASP) describes the seriousness of this kind of XSS vulnerability on their website:
“Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc.
The victim then retrieves the malicious script from the server when it requests the stored information.”
Website Takeover and Attacks on Site Visitors
The vulnerability could lead to a total site takeover as well as use the vulnerable website to launch attacks on all site visitors.
According to the report by Wordfence:
“An attacker could craft and host a block containing malicious JavaScript on a server they controlled, and then use it to overwrite any post or page…
Any post or page that had been built with Elementor, including published pages, could be overwritten by the imported block, and the malicious JavaScript in the imported block would then be executed in the browser of any visitors to that page.
This could be used to redirect site visitors to malicious websites, or hijack an administrator’s session in order to create a new malicious administrator or add a backdoor to the site, leading to site takeover.”
Starter Templates Plugin Fixed
The publishers of the Starter Templates plugin were notified by Wordfence of the vulnerability and they promptly patched the plugin in version 2.7.1.
The public changelog for the Starter Templates plugin accurately records the patch:
v2.7.1 – 7-October-2021
– Security Improvement: Validate the site URL before processing the import request.
– Security Improvement: Updated right file upload permission before importing images.
An honest changelog like the one published by Brainstorm Force is a sign of a quality publisher and it’s great to see them being open about closing security issues.
Wordfence Advises that Publishers Update Their Plugin
Wordfence recommends that all publishers using this plugin update to the very latest version of the plugin is 2.7.5 because this newest version also contains important bug fixes.
Citation
Read the Wordfence Report On The Starter Template Vulnerability
Over 1 Million Sites Impacted by Vulnerability in Starter Templates Plugin