Vulnerabilities in 17+ Elementor Add-on Plugins for WordPress

Wordfence security researchers discovered that virtually every plugin tested that adds functionality to Elementor had a vulnerability. Many of the contacted plugin publishers updated their plugins but not all of them responded, including premium plugins.

The Elementor page builder plugin itself patched a similar vulnerability in February 2021.

This vulnerability affects add-on plugins for Elementor that are created by third parties.

Advertisement

Continue Reading Below

According to Wordfence:

“We found the same vulnerabilities in nearly every plugin we reviewed that adds additional elements to the Elementor page builder.”

So it seems that this vulnerability is fairly widespread within the third party plugins that are add-ons to Elementor

Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability is particularly problematic because the malicious script is uploaded to and stored on the website itself. Then when a user visits the affected web page the browser will execute the malicious script.

If the person visiting the site is signed in and has admin level access then the script could be used to provide that level of access to the hacker and lead to a total site takeover.

Advertisement

Continue Reading Below

This particular vulnerability allows an attacker with at least a contributor level permission to upload a script in place where an element (like a header element) is supposed to be.

The attack is similar to one that Elementor patched in February 2021.

This is how the Elementor vulnerability is described:

“…the “Heading” element can be set to use H1, H2, H3, etc. tags in order to apply different heading sizes via the header_size parameter.

Unfortunately, for six of these elements, the HTML tags were not validated on the server side, so it was possible for any user able to access the Elementor editor, including contributors, to use this option to add executable JavaScript to a post or page via a crafted request.”

List of Top Elementor Add-on Plugins Fixed

The list below of seventeen plugins for Elementor that were affected are installed on millions of sites.

Of those plugins there are over a hundred endpoints, which means that there were multiple vulnerabilities in each of the plugins where an attacker could upload a malicious JavaScript file.

The following list is just a partial one.

If your third party plugin that adds functionality to Elementor is not listed then it’s imperative to check with the publisher to make sure if it has been checked to see if it too contains this vulnerability.

Advertisement

Continue Reading Below

List of Top 17 Patched Elementor Plugins

  1. Essential Addons for Elementor
  2. Elementor – Header, Footer & Blocks Template
  3. Ultimate Addons for Elementor
  4. Premium Addons for Elementor
  5. ElementsKit
  6. Elementor Addon Elements
  7. Livemesh Addons for Elementor
  8. HT Mega – Absolute Addons for Elementor Page Builder
  9. WooLentor – WooCommerce Elementor Addons + Builder
  10. PowerPack Addons for Elementor
  11. Image Hover Effects – Elementor Addon
  12. Rife Elementor Extensions & Templates
  13. The Plus Addons for Elementor Page Builder Lite
  14. All-in-One Addons for Elementor – WidgetKit
  15. JetWidgets For Elementor
  16. Sina Extension for Elementor
  17. DethemeKit For Elementor

What to Do if You Use an Elementor Plugin?

Publishers using third party plugins for Elementor should make sure that those plugins have been updated to patch this vulnerability.

While this vulnerability requires at least a contributor level access, a hacker who is specifically targeting a site can leverage various attacks or strategies to obtain those credentials, including social engineering.

Advertisement

Continue Reading Below

According to Wordfence:

“It may be easier for an attacker to obtain access to an account with contributor privileges than to gain administrative credentials, and a vulnerability of this type can be used to perform privilege escalation by executing JavaScript in a reviewing administrator’s browser session.”

If your third party add-on plugin to Elementor has not recently been updated to patch a vulnerability you may want to contact the publisher of that plugin to ascertain if it is safe.

Citation

Recent Patches Rock the Elementor Ecosystem

You May Also Like

About the Author: admin

Leave a Reply

Your email address will not be published. Required fields are marked *