The Wordfence Threat Intelligence team has discovered vulnerabilities in more than 15 add-ons for the WordPress plugin (opens in new tab) and popular website builder (opens in new tab) Elementor.
These 15 add-ons for Elementor (opens in new tab) are collectively installed on over 3.5m WordPress sites and in total, Wordfence found over 100 vulnerable endpoints (opens in new tab).
These stored cross-site scripting (XSS) vulnerabilities are similar in execution to the serious vulnerability (opens in new tab) in Elementor that was recently patched by the company. When exploited, they allow any user capable of accessing the website builder, including contributors, to add JavaScript to posts.
- We've built a list of the best WordPress hosting (opens in new tab) providers
- These are the best WordPress plugins (opens in new tab) on the market
- Also check out our roundup of the best website builder (opens in new tab)
This JavaScript would then be executed when a post is viewed, edited or previewed by other users on the site and it could potentially be used to takeover a site (opens in new tab) if a victim is an administrator.
Vulnerable add-ons
As was the case with the vulnerability in the main Elementor plugin, each of these add-ons add elements that allow users to select an HTML tag from a drop-down menu to add formatting to a title or other text. However, as tag options are not enforced on the server site, an attacker could add a new title element and change an “H5” heading tag to a “script” tag. In many cases it is possible to add JavaScript directly using one of these tags but an attacker could add malicious code (opens in new tab) to a vulnerable WordPress site instead.
In a new blog post (opens in new tab), Wordfence has listed all of the vulnerable add-ons which have now been patched. However, not all of the developers and publishers that the company reached out to responded to its initial contact requests. In these cases though, Wordfence contacted the WordPress repository directly to have the vulnerable add-ons reviewed.
Sites using Elementor with multiple users that can contribute content and are running an unpatched version of one of these add-ons should be considered at risk. For this reason, Wordfence recommends that site owners update as soon as possible.
If your site is running an Elementor add-on that adds functionality to the website builder through new elements or widgets that is not listed in Wordfence's blog post, the company recommends that you contact the author or developer directly to verify that they have audited their add-on for these issues.
- We've also featured the best web hosting (opens in new tab)