Elementor, a widely used WordPress page builder, has released an update to address a vulnerability known as an Authenticated Reflected XSS. This type of vulnerability allows hackers to run scripts from other sites, potentially leading to stolen login credentials.
The vulnerability occurs when a script is loaded onto a vulnerable site, such as through a search box, creating a URL that, when followed, executes the script from another site. Hackers can then send this link to unsuspecting users to steal their credentials.
The WordPress Vulnerability Database indicates that the proof of concept for this vulnerability is being withheld until February 12th to allow users ample time to update.
A website security company that discovered the vulnerability has shared a detailed walkthrough of how the security flaw was found. They contacted the developers of the Elementor Page Builder plugin, who promptly released an update to fix the issue.
The vulnerability affects versions 2.8.4 and older of the Elementor Page Builder. Users are advised to log into their WordPress websites and update if they are using this plugin. The latest version of Elementor Page Builder is 2.8.5.
After signing into your WordPress account, there should be an update link in the admin navigation ribbon at the top of the page. Alternatively, you can access your updates page from the link in the admin sidebar to view all available updates.
