Skip to main content

This dangerous WordPress attack threatens millions of websites

Unbreakable Lock
(Image credit: KAUST)
Audio player loading…

Security researchers have uncovered a serious vulnerability in the popular Elementor (opens in new tab) WordPress website builder (opens in new tab) that can potentially allow hackers to take over any websites (opens in new tab) built using it.

Elementor claims to be used on over seven million WordPress websites (opens in new tab). The stored cross-site scripting vulnerability was discovered by Wordfence, who develop security solutions including plugins (opens in new tab) to protect WordPress. 

“These vulnerabilities allowed any user able to access the Elementor editor, including contributors, to add JavaScript (opens in new tab) to posts. This JavaScript would be executed if the post was viewed, edited, or previewed by any other site user, and could be used to take over a site if the victim was an administrator,” explains Wordfence.

TechRadar needs yo...

We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.

>> Click here to start the survey in a new window (opens in new tab)<<

Now patched

Wordfence disclosed the vulnerability to Elementor last month, and it has since been patched. 

What made the vulnerability particularly dangerous was that it could be exploited even by someone with Contributor permissions on a WordPress website (opens in new tab). Contributors have the least number of administrative privileges.

Wordfence discovered that several elements in the Elementor editor weren’t validated on the server side, which could allow malicious users to roll executable JavaScript to a page. When an administrator opens the post for review, the script would execute and use the high-level privileges to create a new malicious administrator account.

The researchers suggest that the solution to preventing this type of vulnerability is to enforce a list of allowed HTML tags on the server side, rather than just on the client side. “Indeed, this is the approach the patched version uses to correct the issue”, concludes Wordfence.

Via: WPTavern (opens in new tab)

Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.