Security researchers issued an advisory on six unique XSS vulnerabilities discovered in the Elementor Website Builder and its Pro version that may allow attackers to inject malicious scripts.
Elementor is a leading website builder platform with over 5 million active installations worldwide, with the official WordPress depository claiming it powers over 16 million websites worldwide. The drag and drop interface allows anyone to quickly create professional websites while the Pro version extends the platform with additional widgets and advanced ecommerce capabilities.
That popularity has also made Elementor a popular target for hackers which makes these six vulnerabilities of particular concern.
Elementor Website Builder and the Pro version contain six different Cross-Site Scripting (XSS) vulnerabilities. Five of the vulnerabilities are due to insufficient input sanitization and output escaping while one of them is due to insufficient input sanitization.
Input sanitization is a standard coding practice used to secure areas of a plugin that allow users to input data into a form field or upload media. The process of sanitization blocks any input that does not conform with what is expected. A properly secured input for text data should block scripts or HTML, which is what input sanitization does.
Output escaping is the process of securing what the plugin outputs to the browser to keep it from exposing a site visitor’s browser to untrusted scripts.
The official WordPress Developer Handbook advises for input sanitization:
“Sanitizing input is the process of securing/cleaning/filtering input data.”
It’s important to note that all six vulnerabilities are distinct and completely unrelated to each other and arise specifically from insufficient security from the Elementor side. It’s possible that one of them, CVE-2024-2120, affects both the free and pro versions. I contacted Wordfence for clarification on that and will update this article accordingly after I hear back.
The following is a list of the six vulnerabilities and the versions they affect. All six vulnerabilities are rated as medium level security threats. The first two on the list affect Elementor Website Builder and the next four affect the Pro version. The CVE number is a reference to the official entry in the Common Vulnerabilities and Exposures database that serves as a reference for known vulnerabilities.
All six vulnerabilities are rated as medium level security threats and require contributor-level permission level to execute.
According to Wordfence there are two vulnerabilities affecting the free version of Elementor. But the changelog shows there is only one fix.
The issues affecting the free version are in Path Widget and in Post Navigation Widget.
But the changelog for the free version only lists a patch for the Text Path Widget and not the Post Navigation one:
“Security Fix: Improved code security enforcement in Text Path Widget”
The Post Navigation Widget is a navigation feature that allows site visitors to navigate to the previous or next post in a series of posts.
So although it’s missing in the changelog, it is included in the Elementor Pro changelog which shows that it’s fixed in that version:
- “Security Fix: Improved code security enforcement in Media Carousel widget
- Security Fix: Improved code security enforcement in Form widget
- Security Fix: Improved code security enforcement in Post Navigation widget
- Security Fix: Improved code security enforcement in Gallery widget
- Security Fix: Improved code security enforcement in Video Playlist widget”
The missing entry in the free changelog may be an misprint by Wordfence because the official Wordfence advisory for CVE-2024-2120 shows an entry for “software slug” as elementor-pro.
Users of both versions of the Elementor Website Builder are encouraged to update their plugin to the latest version. Although executing the vulnerability requires an attacker to acquire a contributor level permission credentials it’s still in the realm of possibilities especially if contributors don’t have strong passwords.
Read the official Wordfence advisories:
Featured Image by Shutterstock/hugolacasse
Know your value It's essential for women to recognize their worth and advocate for themselves…
Here is a recap of what happened in the search forums today, through the eyes…
What Is a Press Release?A press release is a brief news article about your company…
Google is now showing these short summaries of reviews by placing aover the…
Here is a new SEO myth I have not heard before... Someone said that using…
When running ads, focusing your campaign on a specific group helps you reach people who…
This website uses cookies.
Leave a Comment