XSS vulnerabilities in Essential Addons for Elementor could allow attackers to inject malicious scripts into WordPress websites
- Two Stored Cross-Site Scripting (XSS) vulnerabilities could allow attackers to inject malicious scripts into WordPress sites
- XSS vulnerabilities originated with inadequate sanitization and output escaping
- The vulnerabilities are rated as medium-level threats
Security researchers published an advisory on the popular Essential Addons For Elementor WordPress plugin which was discovered to contain a Stored Cross-Site Scripting vulnerability affecting over 2 million websites.
Flaws in two different widgets that are a part of the plugin are responsible for the vulnerabilities.
Two Widgets That Lead To Vulnerabilities
- Countdown Widget
- Woo Product Carousel Widget
Essential Addons For Elementor
Essential Addons is a plugin that extends the popular Elementor WordPress page builder. Elementor makes it easy for anyone to create websites and the Essential Addons makes it possible to add even more website features and widgets.
The Vulnerability
The advisory by Wordfence announced that the plugin contained a Stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to upload a malicious script and attack website visitor browsers, which can itself lead to stealing session cookies in order to take control of the website.
XSS vulnerabilities are among the most common and arise from a failure to properly sanitize (screen or filter) fields that accept inputs like text or images.
Plugins typically “sanitize” inputs which means that they filter out unwanted inputs like scripts.
Another flaw that creates an XSS vulnerability is the failure to “escape output” which means to remove any output that contains unwanted data in order to prevent it from reaching a browser.
Wordfence cites both of those flaws as factors that led to the vulnerabilities.
They warned about the countdown widget:
“The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the countdown widget’s message parameter in all versions up to, and including, 5.9.11 due to insufficient input sanitization and output escaping.
This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”
he warning about the Woo Product Carousel Widget:
“The Essential Addons for Elementor …plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the alignment parameter in the Woo Product Carousel widget in all versions up to, and including, 5.9.10 due to insufficient input sanitization and output escaping. “
Authenticated Attackers
What’s meant by the phrase “authenticated attackers” is that a hacker needs to first acquire website credentials first in order to launch the attack. The Essential Addons for Elementor vulnerability requires an attacker to have a contributor level access or higher.
Medium Level Threat – Updating Recommended
The vulnerability is rated as a medium threat and has been assigned a score of 6.4 on a scale of 1 – 10, with 10 being the most critical level of vulnerability.
Plugin users that have version 5.9.11 or lower are recommended to upgrade to the latest version of the plugin, currently version 5.9.13.
Read the Wordfence security bulletins:
- Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.11 – Authenticated (Contributor+) Stored Cross-Site Scripting
- Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.11 – Authenticated (Contributor+) Stored Cross-Site Scripting
Featured Image by Shutterstock/Aleksandrs Sokolovs