Vulnerability Found in Many Elementor Add-on Plugins
Security researchers have discovered that nearly every plugin tested that adds functionality to Elementor has a vulnerability. Several plugin publishers updated their software after being contacted, but not all responded, including some premium plugins.
Elementor’s Own Vulnerability Patch
The Elementor page builder plugin itself addressed a similar vulnerability in February 2021. This recent discovery affects third-party add-on plugins for Elementor.
Widespread Issue
According to the researchers:
"We found the same vulnerabilities in nearly every plugin we reviewed that adds additional elements to the Elementor page builder."
This highlights the widespread nature of the vulnerability within third-party add-ons for Elementor.
Stored Cross-Site Scripting Vulnerability
A stored cross-site scripting vulnerability is notably problematic because the malicious script gets uploaded and stored on the website. When a user visits the compromised page, the browser executes the malicious script. If the visitor has admin-level access, the script could grant the hacker that level of access, potentially leading to a complete site takeover.
In this specific case, an attacker with at least contributor-level permissions can upload a script where an element like a header is supposed to be. This attack is similar to one that Elementor patched in February 2021, described as:
"…the “Heading” element can be set to use H1, H2, H3, etc. tags to apply different heading sizes via the header_size parameter. Unfortunately, for six of these elements, the HTML tags were not validated on the server side, allowing any user with access to the Elementor editor, including contributors, to add executable JavaScript to a post or page via a crafted request."
List of Top Patched Elementor Add-on Plugins
Seventeen popular plugins for Elementor, installed on millions of sites, were affected by this vulnerability. The following list, although partial, includes some of the commonly used plugins that have been patched:
- Essential Addons for Elementor
- Elementor – Header, Footer & Blocks Template
- Ultimate Addons for Elementor
- Premium Addons for Elementor
- ElementsKit
- Elementor Addon Elements
- Livemesh Addons for Elementor
- HT Mega – Absolute Addons for Elementor Page Builder
- WooLentor – WooCommerce Elementor Addons + Builder
- PowerPack Addons for Elementor
- Image Hover Effects – Elementor Addon
- Rife Elementor Extensions & Templates
- The Plus Addons for Elementor Page Builder Lite
- All-in-One Addons for Elementor – WidgetKit
- JetWidgets For Elementor
- Sina Extension for Elementor
- DethemeKit For Elementor
Steps for Users
Publishers using third-party plugins for Elementor should verify that these plugins have been updated to patch this vulnerability. Although the vulnerability requires at least contributor-level access, hackers can use various methods, including social engineering, to obtain the necessary credentials.
According to the researchers:
"It may be easier for an attacker to obtain access to an account with contributor privileges than to gain administrative credentials. A vulnerability of this type can be used to perform privilege escalation by executing JavaScript in a reviewing administrator’s browser session."
If your third-party Elementor plugin has not been recently updated to address this vulnerability, contact the plugin’s publisher to ensure it is safe.
Citation
Recent Patches Rock the Elementor Ecosystem
