When a new security flaw is reported in a software development, it starts a race between vulnerability testing experts in charge of correcting it and cybercriminals who want to exploit the flaws. This is especially notable as for the most commonly used products, such as some WordPress plugins.
Elementor, one of the world’s most popular plugins, presents a vulnerability dubbed XSS Authenticated Reflection, whose exploitation would allow threat actors to run scripts on WordPress sites from another site to deploy malicious activities such as theft of access credentials.
Vulnerability testing experts mention that the
flaw depends on the loading of a script in the vulnerable site using, for
example, a search box. A possible exploitation scenario is described below:
threat actor creates a specially designed URL for the attack
the victim follows the URL, the script, which is hosted on an external site,
will be run
hacker will send a link to target users to steal their credentials from the
This flaw has already been reported on
WordPress Vulnerability Database, a platform that contains updated information
about any vulnerability found in the content management system and its most
popular plugins. The administrators reported that, in order to avoid exploitation
in the wild, the proof of concept will remain unpublished until at least
The vulnerability was found by security firm
Impenetrable.tech, which reported it to Elementor
editors as soon as possible. WordPress visual builder developers immediately
fixed the flaw. The vulnerability was publicly disclosed once its remediation
Specialists in vulnerability testing from the
International Institute of Cyber Security (IICS) mention that the flaw affects
Elementor versions 2.8.4 and earlier. The new version, 2.8.5, must be updated
from the admin interface of WordPress sites. After logging in, you will find an
update link on your WordPress page; otherwise, you can update the plugin from
the website administrator sidebar.