2M+ WordPress Sites Hit By Essential Addons For Elementor Vulnerability via @sejournal, @martinibuster

Security researchers published an advisory connected the fashionable Essential Addons For Elementor WordPress plugin which was discovered to incorporate a Stored Cross-Site Scripting vulnerability affecting implicit 2 cardinal websites.

Flaws successful 2 antithetic widgets that are a portion of the plugin are liable for the vulnerabilities.

Two Widgets That Lead To Vulnerabilities

1. Countdown Widget
2. Woo Product Carousel Widget

Essential Addons For Elementor

Essential Addons is simply a plugin that extends the fashionable Elementor WordPress leafage builder. Elementor makes it casual for anyone to make websites and the Essential Addons makes it imaginable to adhd adjacent much website features and widgets.

The Vulnerability

The advisory by Wordfence announced that the plugin contained a Stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to upload a malicious publication and onslaught website visitant browsers, which tin itself pb to stealing league cookies successful bid to instrumentality power of the website.

XSS vulnerabilities are among the astir communal and originate from a nonaccomplishment to decently sanitize (screen oregon filter) fields that judge inputs similar substance oregon images.

Plugins typically “sanitize” inputs which means that they filter retired unwanted inputs similar scripts.

Another flaw that creates an XSS vulnerability is the nonaccomplishment to “escape output” which means to region immoderate output that contains unwanted information successful bid to forestall it from reaching a browser.

Wordfence cites some of those flaws arsenic factors that led to the vulnerabilities.

They warned astir the countdown widget:

“The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is susceptible to Stored Cross-Site Scripting via the countdown widget’s connection parameter successful each versions up to, and including, 5.9.11 owed to insufficient input sanitization and output escaping.

This makes it imaginable for authenticated attackers, with contributor entree oregon higher, to inject arbitrary web scripts successful pages that volition execute whenever a idiosyncratic accesses an injected page.”

The informing astir the  Woo Product Carousel Widget:

“The Essential Addons for Elementor …plugin for WordPress is susceptible to Stored Cross-Site Scripting via the alignment parameter successful the Woo Product Carousel widget successful each versions up to, and including, 5.9.10 owed to insufficient input sanitization and output escaping. “

See also:

• The WordPress Security Guide To Keep Your Site Safe
• WordPress Security: 16 Steps to Secure & Protect Your Site

Authenticated Attackers

What’s meant by the operation “authenticated attackers” is that a hacker needs to archetypal get website credentials archetypal successful bid to motorboat the attack. The Essential Addons for Elementor vulnerability requires an attacker to person a contributor level entree oregon higher.

Medium Level Threat – Updating Recommended

The vulnerability is rated arsenic a mean menace and has been assigned a people of 6.4 connected a standard of 1 – 10, with 10 being the astir captious level of vulnerability.

Plugin users that person mentation 5.9.11 oregon little are recommended to upgrade to the latest mentation of the plugin, presently mentation 5.9.13.

Read the Wordfence information bulletins:

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

Featured Image by Shutterstock/Aleksandrs Sokolovs

SEJ STAFF Roger Montti Owner - Martinibuster.com astatine Martinibuster.com

I person 25 years hands-on acquisition successful SEO and person kept on  apical of the improvement of hunt each measurement ...

Subscribe To Our Newsletter.

Conquer your time with regular hunt selling news.