Elementor WordPress Plugin Hit By 6 Vulnerabilities


Safety researchers issued an advisory on six distinctive XSS vulnerabilities found within the Elementor Web site Builder and its Professional model that will enable attackers to inject malicious scripts.

Elementor Web site Builder

Elementor is a number one web site builder platform with over 5 million energetic installations worldwide, with the official WordPress depository claiming it powers over 16 million web sites worldwide. The drag and drop interface permits anybody to rapidly create skilled web sites whereas the Professional model extends the platform with extra widgets and superior ecommerce capabilities.

That reputation has additionally made Elementor a preferred goal for hackers which makes these six vulnerabilities of specific concern.

Six XSS Vulnerabilities

Elementor Web site Builder and the Professional model comprise six totally different Cross-Web site Scripting (XSS) vulnerabilities. 5 of the vulnerabilities are on account of inadequate enter sanitization and output escaping whereas one in every of them is because of inadequate enter sanitization.

Enter sanitization is a typical coding observe used to safe areas of a plugin that enable customers to enter knowledge right into a kind area or add media. The method of sanitization blocks any enter that doesn’t conform with what is anticipated. A correctly secured enter for textual content knowledge ought to block scripts or HTML, which is what enter sanitization does.

Output escaping is the method of securing what the plugin outputs to the browser to maintain it from exposing a website customer’s browser to untrusted scripts.

The official WordPress Developer Handbook advises for enter sanitization:

“Sanitizing enter is the method of securing/cleansing/filtering enter knowledge.”

It’s vital to notice that each one six vulnerabilities are distinct and fully unrelated to one another and come up particularly from inadequate safety from the Elementor facet. It’s doable that one in every of them, CVE-2024-2120, impacts each the free and professional variations. I contacted Wordfence for clarification on that and can replace this text accordingly after I hear again.

Record of Six Elementor Vulnerabilities

The next is an inventory of the six vulnerabilities and the variations they have an effect on. All six vulnerabilities are rated as medium stage safety threats. The primary two on the record have an effect on Elementor Web site Builder and the subsequent 4 have an effect on the Professional model. The CVE quantity is a reference to the official entry within the Widespread Vulnerabilities and Exposures database that serves as a reference for identified vulnerabilities.

  1. Elementor Web site Builder (CVE-2024-2117)
    Impacts as much as and together with 3.20.2 – Authenticated DOM-Primarily based Saved Cross-Web site Scripting by way of Path Widget
  2. Elementor Web site Builder Professional (and perhaps free) (CVE-2024-2120)
    Impacts as much as and together with 3.20.1 – Authenticated Saved Cross-Web site Scripting by way of Put up Navigation
  3. Elementor Web site Builder Professional (CVE-2024-1521)
    Impacts as much as and together with 3.20.1 – Authenticated Saved Cross-Web site Scripting by way of Type Widget SVGZ File Add
    This vulenrability solely impacts servers working NGINX-based servers. Servers working Apache HTTP Server are unaffected.
  4. Elementor Web site Builder Professional (CVE-2024-2121)
    Impacts as much as and together with 3.20.1 – Authenticated Saved Cross-Web site Scripting by way of Media Carousel widget
  5. Elementor Web site Builder Professional (CVE-2024-1364)
    Impacts as much as and together with 3.20.1 – Authententicated Saved Cross-Web site Scripting by way of widget’s custom_id
  6. Elementor Web site Builder Professional (CVE-2024-2781)
    Impacts as much as and together with 3.20.1 – Authenticated DOM-Primarily based Saved Cross-Web site Scripting by way of video_html_tag

All six vulnerabilities are rated as medium stage safety threats and require contributor-level permission stage to execute.

Elementor Web site Builder Changelog

In response to Wordfence there are two vulnerabilities affecting the free model of Elementor. However the changelog reveals there is just one repair.

The problems affecting the free model are in Path Widget and in Put up Navigation Widget.

However the changelog for the free model solely lists a patch for the Textual content Path Widget and never the Put up Navigation one:

“Safety Repair: Improved code safety enforcement in Textual content Path Widget”

The Put up Navigation Widget is a navigation function that enables website guests to navigate to the earlier or subsequent publish in a collection of posts.

So though it’s lacking within the changelog, it’s included within the Elementor Professional changelog which reveals that it’s mounted in that model:

  • “Safety Repair: Improved code safety enforcement in Media Carousel widget
  • Safety Repair: Improved code safety enforcement in Type widget
  • Safety Repair: Improved code safety enforcement in Put up Navigation widget
  • Safety Repair: Improved code safety enforcement in Gallery widget
  • Safety Repair: Improved code safety enforcement in Video Playlist widget”

The lacking entry within the free changelog could also be an misprint by Wordfence as a result of the official Wordfence advisory for CVE-2024-2120 reveals an entry for “software program slug” as elementor-pro.

Really helpful Course Of Motion

Customers of each variations of the Elementor Web site Builder are inspired to replace their plugin to the most recent model. Though executing the vulnerability requires an attacker to accumulate a contributor stage permission credentials it’s nonetheless within the realm of potentialities particularly if contributors don’t have sturdy passwords.

Learn the official Wordfence advisories:

Elementor Web site Builder – Greater than Only a Web page Builder <= 3.20.2 – Authenticated (Contributor+) DOM-Primarily based Saved Cross-Web site Scripting by way of Path Widget CVE-2024-2117

Elementor Web site Builder – Greater than Only a Web page Builder <= 3.20.1 – Authenticated (Contributor+) Saved Cross-Web site Scripting by way of Put up Navigation CVE-2024-2120

Elementor Web site Builder Professional <= 3.20.1 – Authenticated (Contributor+) Saved Cross-Web site Scripting by way of Type Widget SVGZ File Add CVE-2024-1521

Elementor Web site Builder Professional <= 3.20.1 – Authenticated (Contributor+) Saved Cross-Web site Scripting CVE-2024-2121

Elementor Web site Builder Professional <= 3.20.1 – Authententicated (Contributor+) Saved Cross-Web site Scripting by way of widget’s custom_id CVE-2024-1364

Elementor Web site Builder Professional <= 3.20.1 – Authenticated (Contributor+) DOM-Primarily based Saved Cross-Web site Scripting by way of video_html_tag CVE-2024-2781

Featured Picture by Shutterstock/hugolacasse

Recent Articles

Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here

Stay on op - Ge the daily news in your inbox