Threat Update
Wordfence has advised that all users of the popular WordPress website builder plugin Elementor update to the latest version available (currently version 3.1.4), including users of either the Free version or Pro version. There is a stored XSS vulnerability affecting Elementor that can be used to steal administrator credentials, which could lead to a site takeover and a site being weaponized with malicious code. Though an attacker must first have at least a Contributor role to the targeted WordPress website, SKOUT still recommends that all users of the Elementor plugin urgently update to the latest version since there are over seven million WordPress sites that use this plugin.
Technical Detail & Additional Information
WHAT IS THE THREAT?
Any user able to access the Elementor editor with at least a Contributor role would be able to add JavaScript to posts on the website. The JavaScript would be executed once the post is viewed, edited, or previewed by anyone with editing permissions and could be used to take over a site if the victim has the role of Administrator. One of several scenarios on how the vulnerability may be exploited is that after the malicious JavaScript is added to a post by an attacker, an administrator visits that post and the JavaScript will run in the browser, which could infect the site with new rogue admin accounts or code to take over the site.
WHY IS IT NOTEWORTHY?
Researchers at Wordfence originally disclosed a set of stored Cross-Site Scripting (XSS) vulnerabilities in the Elementor plugin in February of this year, which prompted an initial patch that partially addressed the issue. The additional fixes were recently added, and the latest version contains the patches for the vulnerabilities, along with fixes for other less severe bugs in the plugin. It is due to a lack of validation of the HTML tags on the server-side that a bad actor can exploit the weakness to add the malicious executable JavaScript.
WHAT IS THE EXPOSURE OR RISK?
Due to the privileges required, security researchers expect that the vulnerability will be used primarily in targeted attacks rather than widespread attempts. If an attack is successful, it would give the attacker a foot in the door to execute further privilege escalation. For sites with multiple contributors, authors, editors, and admins, the attack surface is much wider. While millions of sites using the Elementor plugin are still vulnerable, Wordfence reported that they are not currently seeing active exploits against these vulnerabilities.
WHAT ARE THE RECOMMENDATIONS?
SKOUT recommends the immediate updating of all WordPress websites using the Elementor plugin. Due to the widespread use of the Elementor plugin, SKOUT urges prompt action in getting all sites using Elementor updated to at least version 3.1.4, which is currently the latest version. Such action will mitigate the risk associated with the flaws presented by the vulnerability. As a best practice, it is a good idea to keep any WordPress plugin updated to the latest version. In general, the latest version will usually include any new features, as well as fixes to bugs or vulnerabilities that may exist in previous versions.
References:
For more in-depth information about the recommendations, please visit the following links:
- https://www.wordfence.com/blog/2021/03/cross-site-scripting-vulnerabilities-in-elementor-impact-over-7-million-sites/
- https://thehackernews.com/2021/03/flaws-in-two-popular-wordpress-plugins.html
- https://wptavern.com/elementor-patches-xss-vulnerabilities-affecting-7-million-wordpress-sites
If you have any questions, please contact our Security Operations Center.
[…] of the popular WordPress website builder plug-in are advised to apply the latest Elementor update available as soon as possible (currently version […]