Tuesday, July 2, 2024

Elementor WordPress Plugin Hit By 6 Vulnerabilities

Safety researchers issued an advisory on six distinctive XSS vulnerabilities found within the Elementor Web site Builder and its Professional model that will enable attackers to inject malicious scripts.

Elementor Web site Builder

Elementor is a number one web site builder platform with over 5 million energetic installations worldwide, with the official WordPress depository claiming it powers over 16 million web sites worldwide. The drag and drop interface permits anybody to rapidly create skilled web sites whereas the Professional model extends the platform with further widgets and superior ecommerce capabilities.

That recognition has additionally made Elementor a preferred goal for hackers which makes these six vulnerabilities of specific concern.

Six XSS Vulnerabilities

Elementor Web site Builder and the Professional model include six totally different Cross-Web site Scripting (XSS) vulnerabilities. 5 of the vulnerabilities are because of inadequate enter sanitization and output escaping whereas one among them is because of inadequate enter sanitization.

Enter sanitization is a regular coding apply used to safe areas of a plugin that enable customers to enter knowledge right into a type discipline or add media. The method of sanitization blocks any enter that doesn’t conform with what is anticipated. A correctly secured enter for textual content knowledge ought to block scripts or HTML, which is what enter sanitization does.

Output escaping is the method of securing what the plugin outputs to the browser to maintain it from exposing a web site customer’s browser to untrusted scripts.

The official WordPress Developer Handbook advises for enter sanitization:

“Sanitizing enter is the method of securing/cleansing/filtering enter knowledge.”

It’s vital to notice that every one six vulnerabilities are distinct and fully unrelated to one another and come up particularly from inadequate safety from the Elementor aspect. It’s potential that one among them, CVE-2024-2120, impacts each the free and professional variations. I contacted Wordfence for clarification on that and can replace this text accordingly after I hear again.

Record of Six Elementor Vulnerabilities

The next is an inventory of the six vulnerabilities and the variations they have an effect on. All six vulnerabilities are rated as medium degree safety threats. The primary two on the record have an effect on Elementor Web site Builder and the subsequent 4 have an effect on the Professional model. The CVE quantity is a reference to the official entry within the Frequent Vulnerabilities and Exposures database that serves as a reference for identified vulnerabilities.

  1. Elementor Web site Builder (CVE-2024-2117)
    Impacts as much as and together with 3.20.2 – Authenticated DOM-Primarily based Saved Cross-Web site Scripting through Path Widget
  2. Elementor Web site Builder Professional (and perhaps free) (CVE-2024-2120)
    Impacts as much as and together with 3.20.1 – Authenticated Saved Cross-Web site Scripting through Submit Navigation
  3. Elementor Web site Builder Professional (CVE-2024-1521)
    Impacts as much as and together with 3.20.1 – Authenticated Saved Cross-Web site Scripting through Kind Widget SVGZ File Add
    This vulenrability solely impacts servers working NGINX-based servers. Servers working Apache HTTP Server are unaffected.
  4. Elementor Web site Builder Professional (CVE-2024-2121)
    Impacts as much as and together with 3.20.1 – Authenticated Saved Cross-Web site Scripting through Media Carousel widget
  5. Elementor Web site Builder Professional (CVE-2024-1364)
    Impacts as much as and together with 3.20.1 – Authententicated Saved Cross-Web site Scripting through widget’s custom_id
  6. Elementor Web site Builder Professional (CVE-2024-2781)
    Impacts as much as and together with 3.20.1 – Authenticated DOM-Primarily based Saved Cross-Web site Scripting through video_html_tag

All six vulnerabilities are rated as medium degree safety threats and require contributor-level permission degree to execute.

Elementor Web site Builder Changelog

In response to Wordfence there are two vulnerabilities affecting the free model of Elementor. However the changelog reveals there is just one repair.

The problems affecting the free model are in Path Widget and in Submit Navigation Widget.

However the changelog for the free model solely lists a patch for the Textual content Path Widget and never the Submit Navigation one:

“Safety Repair: Improved code safety enforcement in Textual content Path Widget”

The Submit Navigation Widget is a navigation function that enables web site guests to navigate to the earlier or subsequent put up in a collection of posts.

So though it’s lacking within the changelog, it’s included within the Elementor Professional changelog which reveals that it’s fastened in that model:

  • “Safety Repair: Improved code safety enforcement in Media Carousel widget
  • Safety Repair: Improved code safety enforcement in Kind widget
  • Safety Repair: Improved code safety enforcement in Submit Navigation widget
  • Safety Repair: Improved code safety enforcement in Gallery widget
  • Safety Repair: Improved code safety enforcement in Video Playlist widget”

The lacking entry within the free changelog could also be an misprint by Wordfence as a result of the official Wordfence advisory for CVE-2024-2120 reveals an entry for “software program slug” as elementor-pro.

Beneficial Course Of Motion

Customers of each variations of the Elementor Web site Builder are inspired to replace their plugin to the most recent model. Though executing the vulnerability requires an attacker to amass a contributor degree permission credentials it’s nonetheless within the realm of potentialities particularly if contributors don’t have sturdy passwords.

Learn the official Wordfence advisories:

Elementor Web site Builder – Greater than Only a Web page Builder <= 3.20.2 – Authenticated (Contributor+) DOM-Primarily based Saved Cross-Web site Scripting through Path Widget CVE-2024-2117

Elementor Web site Builder – Greater than Only a Web page Builder <= 3.20.1 – Authenticated (Contributor+) Saved Cross-Web site Scripting through Submit Navigation CVE-2024-2120

Elementor Web site Builder Professional <= 3.20.1 – Authenticated (Contributor+) Saved Cross-Web site Scripting through Kind Widget SVGZ File Add CVE-2024-1521

Elementor Web site Builder Professional <= 3.20.1 – Authenticated (Contributor+) Saved Cross-Web site Scripting CVE-2024-2121

Elementor Web site Builder Professional <= 3.20.1 – Authententicated (Contributor+) Saved Cross-Web site Scripting through widget’s custom_id CVE-2024-1364

Elementor Web site Builder Professional <= 3.20.1 – Authenticated (Contributor+) DOM-Primarily based Saved Cross-Web site Scripting through video_html_tag CVE-2024-2781

Featured Picture by Shutterstock/hugolacasse

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles