Wordfence has advised that all users of the popular WordPress website builder plugin Elementor update to the latest version available (currently version 3.1.4), including users of either the Free version or Pro version. There is a stored XSS vulnerability affecting Elementor that can be used to steal administrator credentials, which could lead to a site takeover and a site being weaponized with malicious code. Though an attacker must first have at least a Contributor role to the targeted WordPress website, SKOUT still recommends that all users of the Elementor plugin urgently update to the latest version since there are over seven million WordPress sites that use this plugin.
Technical Detail & Additional Information
WHAT IS THE THREAT?
WHY IS IT NOTEWORTHY?
WHAT IS THE EXPOSURE OR RISK?
Due to the privileges required, security researchers expect that the vulnerability will be used primarily in targeted attacks rather than widespread attempts. If an attack is successful, it would give the attacker a foot in the door to execute further privilege escalation. For sites with multiple contributors, authors, editors, and admins, the attack surface is much wider. While millions of sites using the Elementor plugin are still vulnerable, Wordfence reported that they are not currently seeing active exploits against these vulnerabilities.
WHAT ARE THE RECOMMENDATIONS?
SKOUT recommends the immediate updating of all WordPress websites using the Elementor plugin. Due to the widespread use of the Elementor plugin, SKOUT urges prompt action in getting all sites using Elementor updated to at least version 3.1.4, which is currently the latest version. Such action will mitigate the risk associated with the flaws presented by the vulnerability. As a best practice, it is a good idea to keep any WordPress plugin updated to the latest version. In general, the latest version will usually include any new features, as well as fixes to bugs or vulnerabilities that may exist in previous versions.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.