Security researchers have issued an advisory on six unique XSS vulnerabilities discovered in the Elementor Website Builder and its Pro version that may allow attackers to inject malicious scripts.
Elementor Website Builder
Elementor is a leading website builder platform with over 5 million active installations worldwide, reportedly powering over 16 million websites. The drag-and-drop interface allows users to quickly create professional websites, while the Pro version extends the platform with additional widgets and advanced ecommerce capabilities.
This popularity has also made Elementor a target for hackers, making these six vulnerabilities particularly concerning.
Six XSS Vulnerabilities
Elementor Website Builder and its Pro version contain six different Cross-Site Scripting (XSS) vulnerabilities. Five of these vulnerabilities are due to insufficient input sanitization and output escaping, while one is due to insufficient input sanitization alone.
Input sanitization is a standard coding practice used to secure areas of a plugin that allow users to input data into a form field or upload media. It blocks any input that does not conform to what is expected, such as scripts or HTML. Output escaping secures what the plugin outputs to the browser to prevent untrusted scripts from affecting site visitors.
The official WordPress Developer Handbook advises for input sanitization:
“Sanitizing input is the process of securing/cleaning/filtering input data.”
All six vulnerabilities are distinct and completely unrelated to each other, arising specifically from insufficient security measures in Elementor. One of these vulnerabilities, CVE-2024-2120, may affect both the free and Pro versions. Further clarification has been sought and will be updated accordingly.
List of Six Elementor Vulnerabilities
The following is a list of the six vulnerabilities and the versions they affect, all rated as medium-level security threats. The first two affect Elementor Website Builder, and the next four affect the Pro version. The CVE number refers to the official entry in the Common Vulnerabilities and Exposures database.
-
Elementor Website Builder (CVE-2024-2117)
- Affects up to and including 3.20.2 – Authenticated DOM-Based Stored Cross-Site Scripting via Path Widget
-
Elementor Website Builder Pro (and possibly free) (CVE-2024-2120)
- Affects up to and including 3.20.1 – Authenticated Stored Cross-Site Scripting via Post Navigation
-
Elementor Website Builder Pro (CVE-2024-1521)
- Affects up to and including 3.20.1 – Authenticated Stored Cross-Site Scripting via Form Widget SVGZ File Upload
- Affects only servers running NGINX-based servers; servers running Apache HTTP Server are unaffected.
-
Elementor Website Builder Pro (CVE-2024-2121)
- Affects up to and including 3.20.1 – Authenticated Stored Cross-Site Scripting via Media Carousel widget
-
Elementor Website Builder Pro (CVE-2024-1364)
- Affects up to and including 3.20.1 – Authenticated Stored Cross-Site Scripting via widget’s custom_id
- Elementor Website Builder Pro (CVE-2024-2781)
- Affects up to and including 3.20.1 – Authenticated DOM-Based Stored Cross-Site Scripting via video_html_tag
All six vulnerabilities require contributor-level permission to execute.
Elementor Website Builder Changelog
According to Wordfence, there are two vulnerabilities affecting the free version of Elementor. However, the changelog shows only one fix. The issues affecting the free version are in the Path Widget and Post Navigation Widget. Nonetheless, the changelog for the free version only lists a patch for the Text Path Widget and not the Post Navigation one.
Excerpt from the changelog:
“Security Fix: Improved code security enforcement in Text Path Widget.”
The Post Navigation Widget allows site visitors to navigate to the previous or next post in a series of posts. While it’s missing in the free version’s changelog, it is included in the Elementor Pro changelog which confirms that it’s fixed in that version:
- Security Fix: Improved code security enforcement in Media Carousel widget
- Security Fix: Improved code security enforcement in Form widget
- Security Fix: Improved code security enforcement in Post Navigation widget
- Security Fix: Improved code security enforcement in Gallery widget
- Security Fix: Improved code security enforcement in Video Playlist widget
The missing entry in the free changelog may be a misprint as the official Wordfence advisory for CVE-2024-2120 shows an entry for “software slug” as elementor-pro.
Recommended Course Of Action
Users of both versions of the Elementor Website Builder are encouraged to update their plugin to the latest version. Although executing the vulnerability requires an attacker to acquire contributor-level permission credentials, it remains a possibility, especially if contributors do not have strong passwords.
Advisories:
- Elementor Website Builder – More than Just a Page Builder <= 3.20.2 – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Path Widget CVE-2024-2117
- Elementor Website Builder – More than Just a Page Builder <= 3.20.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Post Navigation CVE-2024-2120
- Elementor Website Builder Pro <= 3.20.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Form Widget SVGZ File Upload CVE-2024-1521
- Elementor Website Builder Pro <= 3.20.1 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-2121
- Elementor Website Builder Pro <= 3.20.1 – Authententicated (Contributor+) Stored Cross-Site Scripting via widget’s custom_id CVE-2024-1364
- Elementor Website Builder Pro <= 3.20.1 – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via video_html_tag CVE-2024-2781
Image by Shutterstock/hugolacasse
