Recent Patches Rock the Elementor Ecosystem

Over the last few weeks, the Wordfence Threat Intelligence team has responsibly disclosed vulnerabilities in more than 15 of the most popular addon plugins for Elementor, which are collectively installed on over 3.5 million sites. All together, our team found over 100 vulnerable endpoints.

These stored Cross-Site Scripting vulnerabilities were similar in execution to the recently published vulnerabilities in the main Elementor plugin. They allowed any user able to access the Elementor editor, including contributors, to add JavaScript to posts. This JavaScript would be executed if the post was viewed, edited, or previewed by any other site user, and could be used to take over a site if the victim was an administrator.

These vulnerabilities are covered by the same Wordfence firewall rule that we created for the original Elementor vulnerability, which has been available to free Wordfence users since March 25, 2021.

Which plugins were impacted?

We found the same vulnerabilities in nearly every plugin we reviewed that adds additional elements to the Elementor page builder.

We have attempted to notify the developers and publishers of as many vulnerable plugins as possible, and have advised them to review their premium plugins for similar issues.

In most cases the plugin developers we contacted have patched quickly, but a few failed to respond to our initial contact request. In these cases, we contacted the WordPress plugins repository to have the vulnerable plugins reviewed.

Due to the sheer number of plugins that add new elements to Elementor, some may likely still be vulnerable, especially in cases where the plugin code was not freely available for us to review, as is the case with many premium plugins.

Note that we have only listed plugins that have been patched at this time. If your site is running any of these plugins, we strongly recommend updating as soon as possible. If your site is running a plugin that adds functionality to Elementor through new elements or widgets, and it is not listed here, we recommend contacting the plugin author or developer to verify that they have audited their plugin for these issues.


Description: Multiple Authenticated Stored Cross-Site Scripting (XSS)
Affected Plugins: Listed below
Plugin Slugs: Listed below
Affected Versions: Listed below
CVE IDs: Pending
CVSS Score: 6.4 Medium
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Fully Patched Versions: Listed below

Essential Addons for Elementor (essential-addons-for-elementor-lite), 1M+ Installations
Versions < 4.5.4 are vulnerable, patched in version 4.5.4

Elementor – Header, Footer & Blocks Template (header-footer-elementor), 1M+ Installations
Versions < 1.5.8 are vulnerable, patched in version 1.5.8

Ultimate Addons for Elementor (ultimate-elementor), 600k+ Installations
Versions < 1.30.0 are vulnerable, patched in version 1.30.0

Premium Addons for Elementor (premium-addons-for-elementor), 400k+ Installations
Versions < 4.2.8 are vulnerable, patched in version 4.2.8

ElementsKit (elementskit-lite) and ElementsKit Pro (elementskit), 300k+ Installations
Versions < 2.2.0 are vulnerable, patched in version 2.2.0

Elementor Addon Elements (addon-elements-for-elementor-page-builder), 100k+ Installations
Versions < 1.11.2 are vulnerable, patched in version 1.11.2

Livemesh Addons for Elementor (addons-for-elementor), 100k+ Installations
Versions < 6.8 are vulnerable, patched in version 6.8

HT Mega – Absolute Addons for Elementor Page Builder (ht-mega-for-elementor), 70k+ Installations
Versions < 1.5.7 are vulnerable, patched in version 1.5.7

WooLentor – WooCommerce Elementor Addons + Builder (woolentor-addons), 50k+ Installations
Versions < 1.8.6 are vulnerable, patched in version 1.8.6

PowerPack Addons for Elementor (powerpack-lite-for-elementor), 50k+ Installations
Versions < 2.3.2 are vulnerable, patched in version 2.3.2

Image Hover Effects – Elementor Addon (image-hover-effects-addon-for-elementor), 40k+ Installations
Versions < 1.3.4 are vulnerable, patched in version 1.3.4

Rife Elementor Extensions & Templates (rife-elementor-extensions), 30k+ Installations
Versions < 1.1.6 are vulnerable, patched in version 1.1.6

The Plus Addons for Elementor Page Builder Lite (the-plus-addons-for-elementor-page-builder), 30k+ Installations
Versions < 2.0.6 are vulnerable, patched in version 2.0.6

All-in-One Addons for Elementor – WidgetKit (widgetkit-for-elementor), 20k+ Installations
Versions < 2.3.10 are vulnerable, patched in version 2.3.10

JetWidgets For Elementor (jetwidgets-for-elementor), 10k+ Installations
Versions < 1.0.9 are vulnerable, patched in version 1.0.9

Sina Extension for Elementor (sina-extension-for-elementor), 10k+ Installations
Versions < 3.3.12 are vulnerable, patched in version 3.3.12

DethemeKit For Elementor (dethemekit-for-elementor), 8k+ Installations
Versions < 1.5.5.5 are vulnerable, patched in version 1.5.5.5

As with the vulnerabilities in the main Elementor plugin, each of these plugins added elements that allowed users to select an HTML tag from a drop-down menu in order to add formatting to a title or other text. Unfortunately, the tag options were not enforced on the server side and would be echoed out when displaying the element.

An attacker could, for instance, intercept a request where they added a title element, and change an “H5” heading tag to a “script” tag. In many cases it was possible to add JavaScript directly via one of these tags, while other plugins enforced various levels of sanitization. Even for plugins that performed sanitization on output, it was still often possible to set the HTML tag use to a remotely sourced script, or to simply set the tag to “script” and place the JavaScript to be executed in the actual title or a similar parameter.

Who should be worried about this?

Sites that have multiple users that contribute content and are running an unpatched version of one of the plugins listed above should be considered at risk. Vulnerabilities of this type are unlikely to be exploited at scale, but are extremely valuable to attackers targeting individual sites. This applies especially to high-profile media sites or other sites likely to be specifically targeted by attackers. If you are the sole user on your site, then this will not affect you.

While all of the vulnerabilities in question require an attacker to gain access to an account with at least “contributor” permissions to exploit, the contributor role is not considered a trusted role. Any content written by contributors must be reviewed by an Editor or an Administrator before it can be published. It may be easier for an attacker to obtain access to an account with contributor privileges than to gain administrative credentials, and a vulnerability of this type can be used to perform privilege escalation by executing JavaScript in a reviewing administrator’s browser session.

If you are a plugin developer or publisher offering plugins to extend the functionality of Elementor via additional widgets, and we have not already contacted you, we strongly recommend reviewing your code base for similar vulnerabilities using the patches in these plugins and the main Elementor plugin as a template.

A Special Thank You

All software is vulnerable at some point in its lifecycle, and most software is vulnerable to some extent at every point in its lifecycle. It’s unrealistic to expect any company or developer to write software that is completely free from vulnerabilities without significant testing and review. What matters most is their response once vulnerabilities are discovered and disclosed.

As such, we’d like to thank the following plugin developers and publishers for their exemplary responses to our disclosure:

POSIMYTH, publishers of The Plus Addons for Elementor Page Builder Lite, for helping us identify additional vulnerable plugins and actively seeking to improve the security of their product.

Brainstorm Force, publishers of Elementor – Header, Footer & Blocks Template and Ultimate Addons for Elementor, for their fast response and transparency in informing their users of the security issues in their plugins.

HasThemes, publishers of HT Mega – Absolute Addons for Elementor Page Builder and WooLentor – WooCommerce Elementor Addons + Builder, for their extremely fast response in patching their plugins.

WPDeveloper, publishers of Essential Addons for Elementor, for their fast response in patching the vulnerabilities in their plugin.

Crocoblock, publishers of JetWidgets For Elementor and many other Elementor addon plugins, for their fast response and willingness to review their premium addons for similar issues.

WebTechStreet, publishers of Elementor Addon Elements, for their fast response in patching the vulnerabilities in their plugin.

Livemesh, publishers of Livemesh Addons for Elementor, for their responsiveness.

WPMet, publishers of the ElementsKit and ElementsKit Pro plugins, for their responsiveness.

ThemesGrove, publishers of All-in-One Addons for Elementor – WidgetKit, for their responsiveness.

Apollo13Themes, publishers of Rife Elementor Extensions & Templates, for their responsiveness.

deTheme, publishers of DethemeKit For Elementor, for their responsiveness.

This article was the result of weeks worth of research and disclosure, and was, to some extent, a race against time before it became obvious to outside observers how many plugins in the Elementor ecosystem were vulnerable. Although making initial contact was occasionally difficult, we were pleasantly surprised by how many of the publishers we contacted began work immediately after our disclosure. We believe this bodes well for the Elementor ecosystem.

Conclusion

In this article, we covered a widespread set of Cross-Site Scripting(XSS) vulnerabilities present in many of the most popular Elementor addon plugins. Although most small site owners will not be directly affected, the vulnerabilities in question can be used for site takeover, and larger sites with multiple untrusted users are particularly at risk.

All Wordfence users, including sites using the free version of Wordfence, have been protected from these vulnerabilities since March 25, 2021.

If you are running a vulnerable version of any of these plugins on your site, be sure to update to the latest version available. If you are running any addon plugins for Elementor, be sure to apply any available updates as soon as possible.

If you know of a friend or colleague who manages a site that uses Elementor, be sure to forward this article to them as well. Security is a community effort, and staying informed is the most effective tool for keeping your website safe.

The post Recent Patches Rock the Elementor Ecosystem appeared first on Wordfence.

More great articles

Introducing Free Wordfence Intelligence WordPress Vulnerability Webhook Notifications!

We’re incredibly excited to announce that we have launched a webhook integration for vulnerabilities as part of Wordfence Intelligence, which…

Read Story

$1,250 Bounty Awarded for Unauthenticated SQL Injection Vulnerability Patched in Email Subscribers by Icegram Express WordPress Plugin

🎉 Did you know we’re running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to…

Read Story

$563 Bounty Awarded for Reflected Cross-Site Scripting Vulnerability Patched in Yoast SEO WordPress Plugin

🎉 Did you know we’re running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to…

Read Story

Emergency WordPress Help

One of our techs will get back to you within minutes.