Security researchers recently released a warning about a security issue found in the widely-used Essential Addons For Elementor WordPress plugin. This vulnerability, known as Stored Cross-Site Scripting, has the potential to impact more than 2 million websites.
The flaws were identified in two specific widgets within the plugin, which are the root cause of these vulnerabilities.
Two Widgets That Lead To Vulnerabilities
Countdown Widget
Woo Product Carousel Widget
Essential Addons For Elementor
The Vulnerability
Essential Addons is an extension for the widely used Elementor WordPress page builder. Elementor simplifies website creation for everyone, and Essential Addons enhances it by providing additional website features and widgets.
Wordfence issued a warning about a vulnerability found in the plugin, which is known as Stored Cross-Site Scripting (XSS). This type of vulnerability enables attackers to upload harmful scripts and target the web browsers of visitors, potentially leading to the theft of session cookies and gaining control of the website.
One of the most prevalent types of vulnerabilities is XSS, which occurs when there is a lack of proper sanitization (filtering) in fields that accept user inputs such as text or images.
Plugins usually clean up inputs by filtering out any unwanted inputs such as scripts.
Another common issue that can lead to an XSS vulnerability is failing to remove any output that contains harmful data, also known as "escaping output," to prevent it from reaching a browser.
Wordfence cites both of those flaws as factors that led to the vulnerabilities.
They warned about the countdown widget:
The Essential Addons for Elementor plugin for WordPress has a vulnerability in all versions up to 5.9.11. This vulnerability is related to the countdown widget's message parameter, which lacks proper input sanitization and output escaping.
As a result, authenticated attackers with contributor access or higher can exploit this vulnerability to inject malicious web scripts into pages. These scripts will then run whenever a user visits the affected page.
Warning about the Woo Product Carousel Widget:
The Essential Addons for Elementor plugin for WordPress has a vulnerability in the Woo Product Carousel widget. This vulnerability allows for Stored Cross-Site Scripting through the alignment parameter. This issue affects all versions up to, and including, 5.9.10. The vulnerability is due to insufficient input sanitization and output escaping.
See also:
The WordPress Security Guide To Keep Your Site Safe
WordPress Security: 16 Steps to Secure & Protect Your Site
Authenticated Attackers
The phrase "authenticated attackers" refers to hackers who have obtained website credentials to carry out an attack. In the case of the Essential Addons for Elementor vulnerability, the attacker must have contributor level access or higher.
Medium Level Threat – It is Recommended to Update
The vulnerability is considered a medium threat, with a rating of 6.4 out of 10 on the severity scale.
Users of the plugin with version 5.9.11 or older are advised to update to the newest version, which is currently version 5.9.13.
Make sure to check out the security bulletins from Wordfence. One of the recent issues involved Essential Addons for Elementor version <= 5.9.11, which was found to have an Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability.
Essential Addons for Elementor version 5.9.11 or lower has a security issue known as Authenticated Stored Cross-Site Scripting. This vulnerability allows contributors and higher-level users to inject malicious code into the website. It is recommended to update to the latest version to patch this vulnerability.
The featured image for this content is provided by Shutterstock and created by Aleksandrs Sokolovs.
Editor's P/S:
The recently discovered vulnerability in the Essential Addons for Elementor WordPress plugin highlights the ongoing threat of security breaches in the digital landscape. This particular issue, known as Stored Cross-Site Scripting, affects over 2 million websites, putting them at risk of malicious attacks and data theft. The vulnerabilities stem from insufficient input sanitization and output escaping, allowing attackers with contributor access to inject harmful scripts into web pages.
To mitigate these risks, it is crucial for plugin users to promptly update to the latest version. Version 5.9.13 addresses the vulnerabilities, providing a secure solution. Additionally, website owners should implement best practices such as regular security audits and maintaining up-to-date software to minimize the likelihood of future breaches. The WordPress Security Guide and WordPress Security: 16 Steps to Secure & Protect Your Site offer valuable resources to enhance website security. By staying vigilant and taking proactive measures, website owners can protect their sites and safeguard user data from malicious actors.