A WordPress plugin add-on for the popular Elementor page builder recently patched a vulnerability affecting over 200,000 installations. The exploit, found in the Jeg Elementor Kit plugin, allows authenticated attackers to upload malicious scripts.
Stored Cross-Site Scripting (Stored XSS)
The patch fixed an issue that could lead to a Stored Cross-Site Scripting exploit that allows an attacker to upload malicious files to a website server, where it can be activated when a user visits the web page. This is different from a Reflected XSS, which requires an admin or other user to be tricked into clicking a link that initiates the exploit. Both kinds of XSS can lead to a full-site takeover.
Insufficient Sanitization And Output Escaping
An advisory noted that the source of the vulnerability is a lapse in a security practice known as sanitization, which requires a plugin to filter what a user can input into the website. For instance, if an image or text is expected, then all other kinds of input are required to be blocked.
Another issue that was patched involved a security practice called Output Escaping. This process is similar to filtering and applies to what the plugin itself outputs, preventing it from outputting, for example, a malicious script. Specifically, it converts characters that could be interpreted as code, preventing a user’s browser from interpreting the output as code and executing a malicious script.
The advisory explains:
“The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.”
Medium Level Threat
The vulnerability received a Medium Level threat score of 6.4 on a scale of 1 – 10. Users are recommended to update to Jeg Elementor Kit version 2.6.8 (or higher if available).
Featured Image by Shutterstock/Cast Of Thousands
