There are two different kinds of vulnerabilities that researchers have identified in Elementor add-on plugins.
One of them is considered a high threat vulnerability because it can allow hackers to bypass access controls, execute scripts, and obtain sensitive data.
The majority of vulnerabilities in WordPress plugins and themes are Stored Cross Site Scripting (XSS). Three vulnerabilities are related to Local File Inclusion.
XSS vulnerabilities are a prevalent issue in WordPress plugins and themes. They usually occur due to weaknesses in securing input data (input sanitization) and in properly securing output data (output escaping).
A Local File Inclusion vulnerability occurs when an unsecured user input area is exploited by an attacker to insert a file into the input. In simple terms, file inclusion is a coding statement that instructs a website to add specific code from a file, such as a PHP file. For example, in PHP, I have used includes to bring data from one file, like a webpage title, and insert it into the meta description.
This type of vulnerability poses a significant threat as it allows an attacker to insert a variety of code, potentially bypassing restrictions on website actions and gaining access to sensitive data that is typically restricted.
The Open Web Application Security Project (OWASP) explains what a Local File Inclusion vulnerability is. This vulnerability lets an attacker insert a file by taking advantage of the "dynamic file inclusion" feature in the application. It happens when user input is used without being checked for errors.
This can lead to something as outputting the contents of the file, but depending on the severity, it can also lead to:
Code execution on the web server
Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS)
Denial of Service (DoS)
Sensitive Information Disclosure”
List Of Vulnerable Elementor Add-On Plugins
Eleven Elementor add-on plugins have vulnerability advisories. Two advisories were issued today (March 29th), and two were issued on March 28th. The remaining seven advisories were issued within the past few days.
Some of the plugins have more than one vulnerability, resulting in a total of 15 vulnerabilities across the eleven plugins.
Out of the eleven plugins, one is considered a High Severity vulnerability while the remaining ten are categorized as Medium Severity.
Here is the list of plugins, starting from the most recent and going back to the earliest. The numbers next to the vulnerabilities indicate if there are multiple vulnerabilities present.
List of Vulnerable Elementor Add-Ons
ElementsKit Elementor addons (x2)
Unlimited Elements For Elementor
140+ Widgets | Best Addons For Elementor
Better Elementor Addons
Elementor Addon Elements (x2)
Master Addons for Elementor
The Plus Addons for Elementor (x2)
Essential Addons for Elementor (x2)
Element Pack Elementor Addons
Prime Slider – Addons For Elementor
Move Addons for Elementor
High Severity Vulnerability
A critical vulnerability has been discovered in the ElementsKit Elementor Addons plugin for WordPress. This is a major concern as it has the potential to jeopardize the security of over a million websites. The severity of this vulnerability is rated at 8.8 out of 10.
The Elementor plugin's popularity stems from its all-in-one functionality, which enables users to effortlessly customize a wide range of on-page design elements in headers, footers, and menus. Additionally, it offers a diverse template library and 85 widgets that enhance the functionality of webpages built using the Elementor website builder platform.
The vulnerability threat was outlined by Wordfence security researchers.
Millions of WordPress Sites Affected
The ElementsKit Elementor addons plugin for WordPress, in versions up to 3.0.6, is susceptible to Local File Inclusion through the render_raw function. This security flaw enables authenticated attackers, with contributor-level access or higher, to insert and run arbitrary files on the server. Consequently, it allows for the execution of any PHP code contained in these files. This exploit can be leveraged to circumvent access restrictions, acquire confidential information, or execute code in scenarios where supposedly "safe" file types like images are uploaded and incorporated.
List of Vulnerable Plugins By Number Of Installations
The vulnerabilities have the potential to impact over 3 million websites. Two of the plugins alone have a combined total of three million active installations. Many websites opt to use only one of these plugins due to the fact that they offer similar features. These all-in-one plugins make it convenient for users to access essential widgets for incorporating sliders, menus, and other on-page elements with just one plugin.
Essential Addons for Elementor – 2 Million
ElementsKit Elementor addons – 1 Million
Unlimited Elements For Elementor – 200k
Elementor Addon Elements – 100k
The Plus Addons for Elementor – 100k
Element Pack Elementor Addons – 100k
Prime Slider – Addons For Elementor – 100k
Master Addons for Elementor – 40k
140+ Widgets | Best Addons For Elementor – 10k
Move Addons for Elementor – 3k
Better Elementor Addons – Unknown – Closed By WordPress
Recommended Action
It's important to note that while some vulnerabilities may require hacker to have contributor level authentication, other plugins or themes could still pose a risk of allowing attacks to occur. Therefore, it's crucial not to underestimate the potential danger.
Before making updates to a live website, it's a good idea to test out any new themes to ensure they are functioning properly and do not contain any vulnerabilities. This precaution can help prevent any potential security breaches.
Read the official Wordfence advisories (with CVE numbers):
A. 03/29 ElementsKit Elementor addons <= 3.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-1238
03/29 ElementsKit Elementor addons <= 3.0.6 – Authenticated (Contributor+) Local File Inclusion in render_raw CVE-2024-2047 8.8 HIGH THREAT
03/29 Unlimited Elements For Elementor <= 1.5.96 – Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Link CVE-2024-0367
On 3/28, there was a security issue found in over 140 Widgets, known as the Best Addons for Elementor, with a version lower than 1.4.2. This vulnerability allowed for Authenticated (Contributor+) Stored Cross-Site Scripting, identified as CVE-2024-2250.
Similarly, on the same date, a security flaw was discovered in Better Elementor Addons version 1.4.1 or lower. This vulnerability also enabled Authenticated (Contributor+) Stored Cross-Site Scripting through widget links, recognized as CVE-2024-2280.
Elementor Addon Elements version 1.13.1 has a security issue where authenticated users with Contributor level access or higher can exploit a Stored Cross-Site Scripting vulnerability. This vulnerability is identified as CVE-2024-2091.
Elementor Addon Elements version 1.13.2 has a security issue where authenticated users with Contributor level access or higher can exploit a DOM-Based Stored Cross-Site Scripting vulnerability using the 'Text Separator' and 'Image Compare' widgets. This vulnerability is identified as CVE-2024-2792.
Master Addons for Elementor version 2.0.5.6 has a security issue where authenticated users (Contributors and higher) can exploit a Stored Cross-Site Scripting vulnerability through the Pricing Table Widget, as documented in CVE-2024-2139.
The Plus Addons for Elementor version 5.4.1 is also affected by a security issue where authenticated users (Contributors and higher) can exploit a Local File Inclusion vulnerability through the Team Member Listing feature, as documented in CVE-2024-2210.
B. The Plus Addons for Elementor version 5.4.1 and below has a security vulnerability where authenticated users with Contributor or higher roles can exploit a Local File Inclusion through the Clients Widget. This vulnerability is identified as CVE-2024-2203.
A. Essential Addons for Elementor version 5.9.11 and below is susceptible to an Authenticated Stored Cross-Site Scripting attack for users with Contributor or higher roles. This vulnerability is triggered through the message parameter in the countdown widget and is known as CVE-2024-2623.
Essential Addons for Elementor version 5.9.11 and below has a security issue where authenticated users with contributor level access or higher can exploit a stored cross-site scripting vulnerability through the alignment parameter in the Woo Product Carousel widget. This vulnerability is identified as CVE-2024-2650.
Another Elementor addon, Element Pack, version 5.5.3 and below, also has a security issue. Authenticated users with contributor level access or higher can exploit a stored cross-site scripting vulnerability through a link. This vulnerability is identified as CVE-2024-30185.
Prime Slider – Addons For Elementor version 3.13.1 or below has a vulnerability that allows authenticated users with contributor level access or higher to execute stored cross-site scripting attacks through the title, identified as CVE-2024-30186.
Similarly, Addons for Elementor version 1.2.9 or below also has a vulnerability that enables authenticated users with contributor level access or higher to execute stored cross-site scripting attacks, identified as CVE-2024-2131.
Featured Image by Shutterstock/Andrey Myagkov
Editor's P/S:
The article highlights a series of vulnerabilities discovered in Elementor add-on plugins for WordPress, which are commonly used for website customization. These vulnerabilities, including