WordPress

15 Vulnerabilities Discovered in 11 Elementor Add-ons Impacting Over 3 Million WordPress Sites

Photo of SEO SEO Send an email September 29, 2024
0 5 3 minutes read

Researchers Warn About Vulnerabilities in Popular Elementor Add-On Plugins

Researchers have issued advisories for eleven separate Elementor add-on plugins, identifying 15 vulnerabilities that could enable hackers to upload malicious files. One of these vulnerabilities is considered a high threat as it allows hackers to bypass access controls, execute scripts, and obtain sensitive data.

Types of Vulnerabilities

The majority of the identified vulnerabilities are Stored Cross-Site Scripting (XSS) issues, with three being Local File Inclusion vulnerabilities.

XSS vulnerabilities are common in WordPress plugins and themes, typically stemming from flaws in input sanitization and output escaping.

Local File Inclusion vulnerabilities exploit unsecured user input areas, enabling attackers to include and execute files. This can lead to various serious threats, such as bypassing website access restrictions and accessing sensitive data.

The Open Web Application Security Project (OWASP) defines a Local File Inclusion vulnerability as:

"The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a ‘dynamic file inclusion’ mechanism implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation."

This vulnerability can result in anything from displaying file contents to executing code on the server or client side, leading to further attacks like XSS, denial of service (DoS), and sensitive information disclosure.

Vulnerable Elementor Add-On Plugins

Eleven Elementor add-on plugins have been identified with vulnerabilities. The advisories for two of these plugins were issued on March 29th, two on March 28th, and the remaining seven within the last few days.

Some plugins have multiple vulnerabilities, accounting for a total of 15 vulnerabilities across the eleven plugins. Here is a list of affected plugins, arranged by the most recent advisories:

  1. ElementsKit Elementor addons (x2)
  2. Unlimited Elements For Elementor
  3. 140+ Widgets | Best Addons For Elementor
  4. Better Elementor Addons
  5. Elementor Addon Elements (x2)
  6. Master Addons for Elementor
  7. The Plus Addons for Elementor (x2)
  8. Essential Addons for Elementor (x2)
  9. Element Pack Elementor Addons
  10. Prime Slider – Addons For Elementor
  11. Move Addons for Elementor

High Severity Vulnerability

The most concerning vulnerability is found in the ElementsKit Elementor Addons plugin for WordPress, putting over a million websites at risk. This vulnerability has been rated 8.8 on a scale of 1 to 10.

This plugin is popular because it allows users to easily modify on-page design features like headers, footers, and menus. It also offers a vast template library and 85 widgets for additional functionality.

Wordfence security researchers highlighted the threat:

"The ElementsKit Elementor addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.0.6 via the render_raw function. This makes it possible for authenticated attackers with contributor-level access and above to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other ‘safe’ file types can be uploaded and included."

Affected WordPress Sites

The vulnerabilities could impact over 3 million websites. Just two of the plugins have a combined total of three million active installations. Whether sites use one or more of these plugins, the risk remains significant due to the overlap in features.

List of Vulnerable Plugins by Number of Installations

  1. Essential Addons for Elementor – 2 Million
  2. ElementsKit Elementor addons – 1 Million
  3. Unlimited Elements For Elementor – 200k
  4. Elementor Addon Elements – 100k
  5. The Plus Addons for Elementor – 100k
  6. Element Pack Elementor Addons – 100k
  7. Prime Slider – Addons For Elementor – 100k
  8. Master Addons for Elementor – 40k
  9. 140+ Widgets | Best Addons For Elementor – 10k
  10. Move Addons for Elementor – 3k
  11. Better Elementor Addons – Unknown – Closed By WordPress

Recommended Action

Though many medium-severity vulnerabilities require hackers to have contributor-level access to exploit, it’s important not to underestimate the risk posed by other plugins or themes that might enable such attacks.

It is advisable to test updated themes before deploying them to a live site.

Notable Security Advisories:

  • ElementsKit Elementor addons <= 3.0.6 (Authenticated Stored Cross-Site Scripting, CVE-2024-1238)
  • ElementsKit Elementor addons <= 3.0.6 (Authenticated Local File Inclusion, CVE-2024-2047, High Threat)
  • Unlimited Elements For Elementor <= 1.5.96 (Authenticated Stored Cross-Site Scripting via Widget Link, CVE-2024-0367)
  • 140+ Widgets | Best Addons For Elementor – FREE <= 1.4.2 (Authenticated Stored Cross-Site Scripting, CVE-2024-2250)
  • Better Elementor Addons <= 1.4.1 (Authenticated Stored Cross-Site Scripting via widget links, CVE-2024-2280)
  • Elementor Addon Elements <= 1.13.1 (Authenticated Stored Cross-Site Scripting, CVE-2024-2091)
  • Elementor Addon Elements <= 1.13.2 (Authenticated DOM-Based Stored Cross-Site Scripting, CVE-2024-2792)
  • Master Addons for Elementor <= 2.0.5.6 (Authenticated Stored Cross-Site Scripting via Pricing Table Widget, CVE-2024-2139)
  • The Plus Addons for Elementor <= 5.4.1 (Authenticated Local File Inclusion via Team Member Listing, CVE-2024-2210)
  • The Plus Addons for Elementor <= 5.4.1 (Authenticated Local File Inclusion via Clients Widget, CVE-2024-2203)
  • Essential Addons for Elementor <= 5.9.11 (Authenticated Stored Cross-Site Scripting via Countdown Widget, CVE-2024-2623)
  • Essential Addons for Elementor <= 5.9.11 (Authenticated Stored Cross-Site Scripting via Woo Product Carousel Widget, CVE-2024-2650)
  • Element Pack Elementor Addons <= 5.5.3 (Authenticated Stored Cross-Site Scripting via link, CVE-2024-30185)
  • Prime Slider – Addons For Elementor <= 3.13.1 (Authenticated Stored Cross-Site Scripting via title, CVE-2024-30186)
  • Move Addons for Elementor <= 1.2.9 (Authenticated Stored Cross-Site Scripting, CVE-2024-2131)

Featured Image by Shutterstock/Andrey Myagkov

Photo of SEO SEO Send an email September 29, 2024
0 5 3 minutes read
Photo of SEO

SEO

Related Articles

Matt Mullenweg Accuses WP Engine of Trying to Curtail His Free Speech Amid Dispute

October 21, 2024

WordPress Announces New Executive Director

October 9, 2024

Executive Director of WordPress Steps Down

October 5, 2024

8% of Automattic’s Employees Choose to Resign

October 5, 2024
Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button