Safety researchers issued an advisory on six distinctive XSS vulnerabilities found within the Elementor Web site Builder and its Professional model that will enable attackers to inject malicious scripts.
Elementor Web site Builder
Elementor is a number one web site builder platform with over 5 million energetic installations worldwide, with the official WordPress depository claiming it powers over 16 million web sites worldwide. The drag and drop interface permits anybody to rapidly create skilled web sites whereas the Professional model extends the platform with extra widgets and superior ecommerce capabilities.
That reputation has additionally made Elementor a preferred goal for hackers which makes these six vulnerabilities of specific concern.
Six XSS Vulnerabilities
Elementor Web site Builder and the Professional model comprise six totally different Cross-Web site Scripting (XSS) vulnerabilities. 5 of the vulnerabilities are on account of inadequate enter sanitization and output escaping whereas one in every of them is because of inadequate enter sanitization.
Enter sanitization is a typical coding observe used to safe areas of a plugin that enable customers to enter knowledge right into a kind area or add media. The method of sanitization blocks any enter that doesn’t conform with what is anticipated. A correctly secured enter for textual content knowledge ought to block scripts or HTML, which is what enter sanitization does.
Output escaping is the method of securing what the plugin outputs to the browser to maintain it from exposing a website customer’s browser to untrusted scripts.
The official WordPress Developer Handbook advises for enter sanitization:
“Sanitizing enter is the method of securing/cleansing/filtering enter knowledge.”
It’s vital to notice that each one six vulnerabilities are distinct and fully unrelated to one another and come up particularly from inadequate safety from the Elementor facet. It’s doable that one in every of them, CVE-2024-2120, impacts each the free and professional variations. I contacted Wordfence for clarification on that and can replace this text accordingly after I hear again.
Record of Six Elementor Vulnerabilities
The next is an inventory of the six vulnerabilities and the variations they have an effect on. All six vulnerabilities are rated as medium stage safety threats. The primary two on the record have an effect on Elementor Web site Builder and the subsequent 4 have an effect on the Professional model. The CVE quantity is a reference to the official entry within the Widespread Vulnerabilities and Exposures database that serves as a reference for identified vulnerabilities.
- Elementor Web site Builder (CVE-2024-2117)
Impacts as much as and together with 3.20.2 – Authenticated DOM-Primarily based Saved Cross-Web site Scripting by way of Path Widget - Elementor Web site Builder Professional (and perhaps free) (CVE-2024-2120)
Impacts as much as and together with 3.20.1 – Authenticated Saved Cross-Web site Scripting by way of Put up Navigation - Elementor Web site Builder Professional (CVE-2024-1521)
Impacts as much as and together with 3.20.1 – Authenticated Saved Cross-Web site Scripting by way of Type Widget SVGZ File Add
This vulenrability solely impacts servers working NGINX-based servers. Servers working Apache HTTP Server are unaffected. - Elementor Web site Builder Professional (CVE-2024-2121)
Impacts as much as and together with 3.20.1 – Authenticated Saved Cross-Web site Scripting by way of Media Carousel widget - Elementor Web site Builder Professional (CVE-2024-1364)
Impacts as much as and together with 3.20.1 – Authententicated Saved Cross-Web site Scripting by way of widget’s custom_id - Elementor Web site Builder Professional (CVE-2024-2781)
Impacts as much as and together with 3.20.1 – Authenticated DOM-Primarily based Saved Cross-Web site Scripting by way of video_html_tag
All six vulnerabilities are rated as medium stage safety threats and require contributor-level permission stage to execute.
Elementor Web site Builder Changelog
In response to Wordfence there are two vulnerabilities affecting the free model of Elementor. However the changelog reveals there is just one repair.
The problems affecting the free model are in Path Widget and in Put up Navigation Widget.
However the changelog for the free model solely lists a patch for the Textual content Path Widget and never the Put up Navigation one:
“Safety Repair: Improved code safety enforcement in Textual content Path Widget”
The Put up Navigation Widget is a navigation function that enables website guests to navigate to the earlier or subsequent publish in a collection of posts.
So though it’s lacking within the changelog, it’s included within the Elementor Professional changelog which reveals that it’s mounted in that model:
- “Safety Repair: Improved code safety enforcement in Media Carousel widget
- Safety Repair: Improved code safety enforcement in Type widget
- Safety Repair: Improved code safety enforcement in Put up Navigation widget
- Safety Repair: Improved code safety enforcement in Gallery widget
- Safety Repair: Improved code safety enforcement in Video Playlist widget”
The lacking entry within the free changelog could also be an misprint by Wordfence as a result of the official Wordfence advisory for CVE-2024-2120 reveals an entry for “software program slug” as elementor-pro.
Really helpful Course Of Motion
Customers of each variations of the Elementor Web site Builder are inspired to replace their plugin to the most recent model. Though executing the vulnerability requires an attacker to accumulate a contributor stage permission credentials it’s nonetheless within the realm of potentialities particularly if contributors don’t have sturdy passwords.
Learn the official Wordfence advisories:
Featured Picture by Shutterstock/hugolacasse