The publishers of the Ultimate Addons for Elementor plugin have informed customers about a vulnerability affecting two of their plugins.
This is the relevant entry in the changelog for the Elementor Plugin that Brainstorm Force fixed in March 2021:
Version 1.30.0 – Fixed – March 30, 2021
- Hardened allowed options in the editor to enforce better security policies.
Brainstorm Force Elementor Plugin Vulnerabilities
The publishers of the Ultimate Addons for Elementor plugin have alerted customers about a vulnerability affecting two of their plugins. These plugins are addons for the popular Elementor page builder. Addons are third-party plugins that enhance the features and functionality of the Elementor Page Builder.
The affected plugins are published by Brainstorm Force. The specific plugins impacted are:
- Ultimate Addons for Elementor
- Elementor – Header, Footer & Blocks Template
An email from Brainstorm Force noted that they were alerted to the vulnerabilities by the Wordfence security team and responded within hours.
According to the email:
"In each of these updates, we’ve fixed a vulnerability reported to us by the team at Wordfence. These are very similar to the ones that the Elementor team recently fixed in their version 3.1.2."
Screenshot of Brainstorm Force Email
The Elementor vulnerability referenced by Brainstorm Force is known as a Stored Cross-site Scripting Vulnerability. This type of vulnerability could enable malicious hackers to take over a website completely.
Stored Cross-site Scripting Vulnerability
Brainstorm Force did not explicitly state that the exploit they patched was a Stored Cross-site Scripting Vulnerability. They only mentioned that the fixed exploit was similar to one patched by the Elementor page builder software. A Stored Cross-Site Scripting Vulnerability is one where a malicious script is directly uploaded to the website. This vulnerability is generally considered to be more serious than a Reflected XSS attack, which relies on a user clicking on a malicious link.
With a Stored XSS Vulnerability, no link needs to be clicked for the site to be affected; the vulnerability exists on the website itself.
Wordfence Has Not Released Details
Wordfence has not yet released detailed information about the vulnerability. As of now, the only description available suggests it is similar to the Elementor page builder vulnerability. Brainstorm Force did not explicitly confirm that their plugin vulnerabilities are Stored XSS exploits, only that they are similar to the Elementor vulnerability, which was an XSS issue.
Fixed Versions of Elementor Addons
The Elementor – Header, Footer & Blocks Template
Patched on March 31, 2021 to version 1.5.8.
According to the changelog, the update includes hardening against a vulnerability.
"1.5.8
Fix: Hardened allowed options in the editor to enforce better security policies."
The need to harden the editor suggests that the vulnerability might require a hacker to have subscriber-level privileges. However, this has not been officially confirmed.
Ultimate Addons for Elementor
Patched on March 31, 2021 to version 1.30.0.
The reason for the fix is the same as for the Elementor – Header, Footer & Blocks Template.
According to the Ultimate Addons for Elementor changelog:
"Hardened allowed options in the editor to enforce better security policies."
Update Immediately
It is strongly recommended that all publishers using these two plugins update their versions immediately.
The latest patched versions are:
- The Elementor – Header, Footer & Blocks Template 1.5.8
- Ultimate Addons for Elementor 1.30.0