Security researchers at Wordfence have identified a vulnerability in sites built using Elementor. This flaw is classified as a Stored Cross-site Scripting (XSS) vulnerability and has the potential to let attackers take control of a website.
Stored Cross Site Vulnerability
Cross Site Scripting (XSS) is a type of vulnerability where an attacker uploads a malicious script, which is then executed by anyone visiting the affected web page. This script can perform numerous malicious activities, such as stealing cookies or password credentials.
This specific XSS exploit is termed a Stored Cross Site Scripting vulnerability because it is stored on the website itself. The other type of XSS, called Reflected Cross Site Scripting, relies on a link being clicked, often via email. Stored Cross Site Scripting is more harmful because it can target any visitor to the web page.
Stored XSS Elementor Exploit
The stored XSS vulnerability in Elementor can be used to steal administrator credentials. However, the attacker must first gain a publishing-level WordPress user role, even a low-level Contributor role can initiate the attack.
The Contributor level WordPress role is a low level of registered user that can read, publish, edit, and delete their own articles on a website. They cannot upload media files such as images.
How the Elementor Vulnerability Attack Works
The vulnerability exploits a loophole that allows an attacker to upload a malicious script within the editing screen.
The loophole existed in six Elementor components:
- Accordion
- Icon Box
- Image Box
- Heading
- Divider
- Column
Wordfence explained how attackers exploit these components:
"Many of these elements offer the option to set an HTML tag for the content within. For example, the ‘Heading’ element can be set to use H1, H2, H3, etc. tags to apply different heading sizes via the header_size parameter. Unfortunately, for six of these elements, the HTML tags were not validated on the server side, so it was possible for any user able to access the Elementor editor, including contributors, to use this option to add executable JavaScript to a post or page via a crafted request."
Once the script is uploaded, any visitor to the web page, even if it’s the editor previewing the page before publishing, could execute the code in the browser, allowing the attacker to gain access to authenticated sessions.
Update Elementor Now
Wordfence recommends that all Elementor users update their version to at least 3.1.4, although the official Elementor Pro changelog indicates there’s a security fix. A changelog is a software developer’s official record of changes to every version of the software. It’s advisable to update to the latest version available, as Elementor Pro 3.2.0 includes a fix for a security issue:
"Sanitized options in the editor to enforce better security policies."
Citations
Official Wordfence Announcement:
Cross-Site Scripting Vulnerabilities in Elementor Impact Over 7 Million Sites
Elementor Pro Changelog
