Safety researchers issued an advisory on six distinctive XSS vulnerabilities found within the Elementor Web site Builder and its Professional model that will permit attackers to inject malicious scripts.
Elementor Web site Builder
Elementor is a number one web site builder platform with over 5 million lively installations worldwide, with the official WordPress depository claiming it powers over 16 million web sites worldwide. The drag and drop interface permits anybody to shortly create skilled web sites whereas the Professional model extends the platform with extra widgets and superior ecommerce capabilities.
That reputation has additionally made Elementor a well-liked goal for hackers which makes these six vulnerabilities of explicit concern.
Six XSS Vulnerabilities
Elementor Web site Builder and the Professional model comprise six completely different Cross-Website Scripting (XSS) vulnerabilities. 5 of the vulnerabilities are resulting from inadequate enter sanitization and output escaping whereas one in every of them is because of inadequate enter sanitization.
Enter sanitization is a typical coding follow used to safe areas of a plugin that permit customers to enter knowledge right into a kind area or add media. The method of sanitization blocks any enter that doesn’t conform with what is anticipated. A correctly secured enter for textual content knowledge ought to block scripts or HTML, which is what enter sanitization does.
Output escaping is the method of securing what the plugin outputs to the browser to maintain it from exposing a website customer’s browser to untrusted scripts.
The official WordPress Developer Handbook advises for input sanitization:
“Sanitizing enter is the method of securing/cleansing/filtering enter knowledge.”
It’s vital to notice that every one six vulnerabilities are distinct and fully unrelated to one another and come up particularly from inadequate safety from the Elementor facet. It’s potential that one in every of them, CVE-2024-2120, impacts each the free and professional variations. I contacted Wordfence for clarification on that and can replace this text accordingly after I hear again.
Checklist of Six Elementor Vulnerabilities
The next is an inventory of the six vulnerabilities and the variations they have an effect on. All six vulnerabilities are rated as medium stage safety threats. The primary two on the listing have an effect on Elementor Web site Builder and the following 4 have an effect on the Professional model. The CVE quantity is a reference to the official entry within the Frequent Vulnerabilities and Exposures database that serves as a reference for recognized vulnerabilities.
- Elementor Web site Builder (CVE-2024-2117)
Impacts as much as and together with 3.20.2 – Authenticated DOM-Primarily based Saved Cross-Website Scripting through Path Widget - Elementor Web site Builder Professional (and possibly free) (CVE-2024-2120)
Impacts as much as and together with 3.20.1 – Authenticated Saved Cross-Website Scripting through Publish Navigation - Elementor Web site Builder Professional (CVE-2024-1521)
Impacts as much as and together with 3.20.1 – Authenticated Saved Cross-Website Scripting through Type Widget SVGZ File Add
This vulenrability solely impacts servers working NGINX-based servers. Servers working Apache HTTP Server are unaffected. - Elementor Web site Builder Professional (CVE-2024-2121)
Impacts as much as and together with 3.20.1 – Authenticated Saved Cross-Website Scripting through Media Carousel widget - Elementor Web site Builder Professional (CVE-2024-1364)
Impacts as much as and together with 3.20.1 – Authententicated Saved Cross-Website Scripting through widget’s custom_id - Elementor Web site Builder Professional (CVE-2024-2781)
Impacts as much as and together with 3.20.1 – Authenticated DOM-Primarily based Saved Cross-Website Scripting through video_html_tag
All six vulnerabilities are rated as medium stage safety threats and require contributor-level permission stage to execute.
Elementor Web site Builder Changelog
In keeping with Wordfence there are two vulnerabilities affecting the free model of Elementor. However the changelog exhibits there is just one repair.
The problems affecting the free model are in Path Widget and in Publish Navigation Widget.
However the changelog for the free version solely lists a patch for the Textual content Path Widget and never the Publish Navigation one:
“Safety Repair: Improved code safety enforcement in Textual content Path Widget”
The Publish Navigation Widget is a navigation function that enables website guests to navigate to the earlier or subsequent submit in a collection of posts.
So though it’s lacking within the changelog, it’s included within the Elementor Pro changelog which exhibits that it’s mounted in that model:
- “Safety Repair: Improved code safety enforcement in Media Carousel widget
- Safety Repair: Improved code safety enforcement in Type widget
- Safety Repair: Improved code safety enforcement in Publish Navigation widget
- Safety Repair: Improved code safety enforcement in Gallery widget
- Safety Repair: Improved code safety enforcement in Video Playlist widget”
The lacking entry within the free changelog could also be an misprint by Wordfence as a result of the official Wordfence advisory for CVE-2024-2120 exhibits an entry for “software program slug” as elementor-pro.
Beneficial Course Of Motion
Customers of each variations of the Elementor Web site Builder are inspired to replace their plugin to the newest model. Though executing the vulnerability requires an attacker to accumulate a contributor stage permission credentials it’s nonetheless within the realm of potentialities particularly if contributors don’t have robust passwords.
Learn the official Wordfence advisories:
Featured Picture by Shutterstock/hugolacasse
