Security researchers have uncovered a serious vulnerability in the popular Elementor WordPress website builder that can potentially allow hackers to take over any websites built using it.
Elementor claims to be used on over seven million WordPress websites. The stored cross-site scripting vulnerability was discovered by Wordfence, who develop security solutions including plugins to protect WordPress.
“These vulnerabilities allowed any user able to access the Elementor editor, including contributors, to add JavaScript to posts. This JavaScript would be executed if the post was viewed, edited, or previewed by any other site user, and could be used to take over a site if the victim was an administrator,” explains Wordfence.
- Host your websites with these best WordPress hosting providers
- We’ve highlighted the best cloud hosting providers
- These are the best WordPress themes
Now patched
Wordfence disclosed the vulnerability to Elementor last month, and it has since been patched.
What made the vulnerability particularly dangerous was that it could be exploited even by someone with Contributor permissions on a WordPress website. Contributors have the least number of administrative privileges.
Wordfence discovered that several elements in the Elementor editor weren’t validated on the server side, which could allow malicious users to roll executable JavaScript to a page. When an administrator opens the post for review, the script would execute and use the high-level privileges to create a new malicious administrator account.
The researchers suggest that the solution to preventing this type of vulnerability is to enforce a list of allowed HTML tags on the server side, rather than just on the client side. “Indeed, this is the approach the patched version uses to correct the issue”, concludes Wordfence.
- Here are some of the best free website builders
Via: WPTavern
