2M+ WordPress Sites Hit By Essential Addons For Elementor Vulnerability via @sejournal, @martinibuster

Up to 2 million sites affected by XSS vulnerability discovered in Essential Addons for Elementor WordPress plugin The post 2M+ WordPress Sites Hit By Essential Addons For Elementor Vulnerability appeared first on Search Engine Journal.

2M+ WordPress Sites Hit By Essential Addons For Elementor Vulnerability via @sejournal, @martinibuster

Advertisement

XSS vulnerabilities in Essential Addons for Elementor could allow attackers to inject malicious scripts into WordPress websites

Two Stored Cross-Site Scripting (XSS) vulnerabilities could allow attackers to inject malicious scripts into WordPress sites XSS vulnerabilities originated with inadequate sanitization and output escaping The vulnerabilities are rated as medium-level threats
WordPress Vulnerability

Security researchers published an advisory on the popular Essential Addons For Elementor WordPress plugin which was discovered to contain a Stored Cross-Site Scripting vulnerability affecting over 2 million websites.

Flaws in two different widgets that are a part of the plugin are responsible for the vulnerabilities.

Two Widgets That Lead To Vulnerabilities

Countdown Widget Woo Product Carousel Widget

Essential Addons For Elementor

Essential Addons is a plugin that extends the popular Elementor WordPress page builder. Elementor makes it easy for anyone to create websites and the Essential Addons makes it possible to add even more website features and widgets.

The Vulnerability

The advisory by Wordfence announced that the plugin contained a Stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to upload a malicious script and attack website visitor browsers, which can itself lead to stealing session cookies in order to take control of the website.

XSS vulnerabilities are among the most common and arise from a failure to properly sanitize (screen or filter) fields that accept inputs like text or images.

Plugins typically “sanitize” inputs which means that they filter out unwanted inputs like scripts.

Another flaw that creates an XSS vulnerability is the failure to “escape output” which means to remove any output that contains unwanted data in order to prevent it from reaching a browser.

Wordfence cites both of those flaws as factors that led to the vulnerabilities.

They warned about the countdown widget:

“The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the countdown widget’s message parameter in all versions up to, and including, 5.9.11 due to insufficient input sanitization and output escaping.

This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

The warning about the  Woo Product Carousel Widget:

“The Essential Addons for Elementor …plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the alignment parameter in the Woo Product Carousel widget in all versions up to, and including, 5.9.10 due to insufficient input sanitization and output escaping. “

See also:

The WordPress Security Guide To Keep Your Site Safe WordPress Security: 16 Steps to Secure & Protect Your Site

Authenticated Attackers

What’s meant by the phrase “authenticated attackers” is that a hacker needs to first acquire website credentials first in order to launch the attack. The Essential Addons for Elementor vulnerability requires an attacker to have a contributor level access or higher.

Medium Level Threat – Updating Recommended

The vulnerability is rated as a medium threat and has been assigned a score of 6.4 on a scale of 1 – 10, with 10 being the most critical level of vulnerability.

Plugin users that have version 5.9.11 or lower are recommended to upgrade to the latest version of the plugin, currently version 5.9.13.

Read the Wordfence security bulletins:

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

Featured Image by Shutterstock/Aleksandrs Sokolovs

SEJ STAFF Roger Montti Owner - Martinibuster.com at Martinibuster.com

I have 25 years hands-on experience in SEO and have kept on  top of the evolution of search every step ...

2M+ WordPress Sites Hit By Essential Addons For Elementor Vulnerability

Subscribe To Our Newsletter.

Conquer your day with daily search marketing news.