WordPress Elementor Addons Vulnerability Affects 400k Sites via @sejournal, @martinibuster

Wordfence issued an advisory connected a vulnerability patched successful the fashionable Happy Addons for Elementor plugin, installed connected implicit 400,000 websites. The information flaw could let attackers to upload malicious scripts that execute erstwhile browsers sojourn affected pages.

Happy Addons for Elementor

The Happy Addons for Elementor plugin extends the Elementor leafage builder with dozens of escaped widgets and features similar representation grids, a idiosyncratic feedback and reviews function, and customized navigation menus. A paid mentation of the plugin offers adjacent much plan functionalities that marque it casual to make functional and charismatic WordPress websites.

Stored Cross-Site Scripting (Stored XSS)

Stored XSS is simply a vulnerability typically hap erstwhile a taxable oregon plugin doesn’t decently filter idiosyncratic inputs (called sanitization), allowing malicious scripts to beryllium uploaded to the database and stored connected the server itself. When a idiosyncratic visits the website the publication downloads to the browser and executes actions similar stealing browser cookies oregon redirecting the idiosyncratic to a malicious website.

The stored XSS vulnerability affecting the Happy Addons for Elementor plugin requires a hacker acquiring Contributor-level permissions (authentication), making it harder to instrumentality vantage of the vulnerability.

WordPress information institution Wordfence rated the vulnerability 6.4 connected a standard of 1 – 10, a mean menace level.

According Wordfence:

“The Happy Addons for Elementor plugin for WordPress is susceptible to Stored Cross-Site Scripting via the before_label parameter successful the Image Comparison widget successful each versions up to, and including, 3.12.5 owed to insufficient input sanitization and output escaping. This makes it imaginable for authenticated attackers, with Contributor-level entree and above, to inject arbitrary web scripts successful pages that volition execute whenever a idiosyncratic accesses an injected page.”

Plugin users should see updating to the latest version, presently 3.12.6, which contains a information spot for the vulnerability.

Read the Wordfence advisory:

Happy Addons for Elementor <= 3.12.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Image Comparison

Featured Image by Shutterstock/Red Cristal

SEJ STAFF Roger Montti Owner - Martinibuster.com astatine Martinibuster.com

I person 25 years hands-on acquisition successful SEO, evolving on with the hunt engines by keeping up with the latest ...