ARTICLE AD BOX
Security researchers issued an advisory connected six unsocial XSS vulnerabilities discovered successful the Elementor Website Builder and its Pro mentation that whitethorn let attackers to inject malicious scripts.
Elementor Website Builder
Elementor is simply a starring website builder level with implicit 5 cardinal progressive installations worldwide, with the authoritative WordPress depository claiming it powers implicit 16 cardinal websites worldwide. The resistance and driblet interface allows anyone to rapidly make nonrecreational websites portion the Pro mentation extends the level with further widgets and precocious ecommerce capabilities.
That popularity has besides made Elementor a fashionable people for hackers which makes these six vulnerabilities of peculiar concern.
Six XSS Vulnerabilities
Elementor Website Builder and the Pro mentation incorporate six antithetic Cross-Site Scripting (XSS) vulnerabilities. Five of the vulnerabilities are owed to insufficient input sanitization and output escaping portion 1 of them is owed to insufficient input sanitization.
Input sanitization is simply a modular coding signifier utilized to unafraid areas of a plugin that let users to input information into a signifier tract oregon upload media. The process of sanitization blocks immoderate input that does not conform with what is expected. A decently secured input for substance information should artifact scripts oregon HTML, which is what input sanitization does.
Output escaping is the process of securing what the plugin outputs to the browser to support it from exposing a tract visitor’s browser to untrusted scripts.
The authoritative WordPress Developer Handbook advises for input sanitization:
“Sanitizing input is the process of securing/cleaning/filtering input data.”
It’s important to enactment that each six vulnerabilities are chiseled and wholly unrelated to each different and originate specifically from insufficient information from the Elementor side. It’s imaginable that 1 of them, CVE-2024-2120, affects some the escaped and pro versions. I contacted Wordfence for clarification connected that and volition update this nonfiction accordingly aft I perceive back.
List of Six Elementor Vulnerabilities
The pursuing is simply a database of the six vulnerabilities and the versions they affect. All six vulnerabilities are rated arsenic mean level information threats. The archetypal 2 connected the database impact Elementor Website Builder and the adjacent 4 impact the Pro version. The CVE fig is simply a notation to the authoritative introduction successful the Common Vulnerabilities and Exposures database that serves arsenic a notation for known vulnerabilities.
- Elementor Website Builder (CVE-2024-2117)
Affects up to and including 3.20.2 – Authenticated DOM-Based Stored Cross-Site Scripting via Path Widget - Elementor Website Builder Pro (and possibly free) (CVE-2024-2120)
Affects up to and including 3.20.1 – Authenticated Stored Cross-Site Scripting via Post Navigation - Elementor Website Builder Pro (CVE-2024-1521)
Affects up to and including 3.20.1 – Authenticated Stored Cross-Site Scripting via Form Widget SVGZ File Upload
This vulenrability lone affects servers moving NGINX-based servers. Servers moving Apache HTTP Server are unaffected. - Elementor Website Builder Pro (CVE-2024-2121)
Affects up to and including 3.20.1 – Authenticated Stored Cross-Site Scripting via Media Carousel widget - Elementor Website Builder Pro (CVE-2024-1364)
Affects up to and including 3.20.1 – Authententicated Stored Cross-Site Scripting via widget’s custom_id - Elementor Website Builder Pro (CVE-2024-2781)
Affects up to and including 3.20.1 – Authenticated DOM-Based Stored Cross-Site Scripting via video_html_tag
All six vulnerabilities are rated arsenic mean level information threats and necessitate contributor-level support level to execute.
Elementor Website Builder Changelog
According to Wordfence determination are 2 vulnerabilities affecting the escaped mentation of Elementor. But the changelog shows determination is lone 1 fix.
The issues affecting the escaped mentation are successful Path Widget and successful Post Navigation Widget.
But the changelog for the escaped version lone lists a spot for the Text Path Widget and not the Post Navigation one:
“Security Fix: Improved codification information enforcement successful Text Path Widget”
The Post Navigation Widget is simply a navigation diagnostic that allows tract visitors to navigate to the erstwhile oregon adjacent station successful a bid of posts.
So though it’s missing successful the changelog, it is included successful the Elementor Pro changelog which shows that it’s fixed successful that version:
- “Security Fix: Improved codification information enforcement successful Media Carousel widget
- Security Fix: Improved codification information enforcement successful Form widget
- Security Fix: Improved codification information enforcement successful Post Navigation widget
- Security Fix: Improved codification information enforcement successful Gallery widget
- Security Fix: Improved codification information enforcement successful Video Playlist widget”
The missing introduction successful the escaped changelog whitethorn beryllium an misprint by Wordfence due to the fact that the authoritative Wordfence advisory for CVE-2024-2120 shows an introduction for “software slug” arsenic elementor-pro.
Recommended Course Of Action
Users of some versions of the Elementor Website Builder are encouraged to update their plugin to the latest version. Although executing the vulnerability requires an attacker to get a contributor level support credentials it’s inactive successful the realm of possibilities particularly if contributors don’t person beardown passwords.
Read the authoritative Wordfence advisories:
Featured Image by Shutterstock/hugolacasse
English (US)