Security researchers have published an advisory on the popular Essential Addons For Elementor WordPress plugin, which was found to contain a Stored Cross-Site Scripting (XSS) vulnerability affecting over 2 million websites.
Flaws in two different widgets that are part of the plugin are responsible for these vulnerabilities.
Two Widgets That Lead To Vulnerabilities
- Countdown Widget
- Woo Product Carousel Widget
Essential Addons For Elementor
Essential Addons is a plugin that extends the popular Elementor WordPress page builder. Elementor simplifies website creation, and Essential Addons enhances it by adding more features and widgets.
The Vulnerability
The advisory announced that the plugin contained a Stored Cross-Site Scripting (XSS) vulnerability. This allows an attacker to upload a malicious script and attack website visitors’ browsers, potentially leading to the theft of session cookies to take control of the website.
XSS vulnerabilities are common and arise from a failure to properly sanitize fields that accept inputs like text or images. Plugins typically "sanitize" inputs, filtering out unwanted scripts. Another flaw that creates an XSS vulnerability is the failure to "escape output," which eliminates unwanted data from reaching a browser.
Both of these flaws were factors that led to the vulnerabilities.
They warned about the countdown widget:
"The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the countdown widget’s message parameter in all versions up to, and including, 5.9.11 due to insufficient input sanitization and output escaping.
This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
The warning about the Woo Product Carousel Widget:
"The Essential Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the alignment parameter in the Woo Product Carousel widget in all versions up to, and including, 5.9.10 due to insufficient input sanitization and output escaping."
Authenticated Attackers
The term “authenticated attackers” means that a hacker needs to first acquire the website credentials to launch the attack. The Essential Addons for Elementor vulnerability requires an attacker to have contributor-level access or higher.
Medium Level Threat – Updating Recommended
The vulnerability is rated as a medium threat with a score of 6.4 on a scale of 1 to 10, with 10 being the most critical level of vulnerability. Plugin users with version 5.9.11 or lower are recommended to upgrade to the latest version of the plugin, currently version 5.9.13.
Read the security bulletins:
- Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.11 – Authenticated (Contributor+) Stored Cross-Site Scripting
Featured Image by Shutterstock/Aleksandrs Sokolovs
