Elementor users who haven’t updated recently will want to get on the latest version 3.1.4 as soon as possible. Researchers at Wordfence disclosed a set of stored Cross-Site Scripting (XSS) vulnerabilities in the plugin to its authors in February, which was partially patched at that time and additional fixes were released the second week of March.
Wordfence summarized the vulnerabilities in a post published yesterday, accompanied by a detailed walkthrough of how an attacker might compromise sites using Elementor:
Many of the plugin’s “elements,” or components, accept an
html_tag parameter, which was output without escaping and could be set to execute a script. A few of the vulnerable elements include the column, accordion, heading, divider, icon box, and image box.
At the time of publishing, less than half of all Elementor installs are running on version 3.1.x, leaving millions of sites still vulnerable. Wordfence confirmed this morning that they are not currently seeing active exploits against these vulnerabilities.
“Due to the privileges required, we expect it to be used primarily in targeted attacks rather than widespread attempts,” Wordfence security researcher Ram Gall said. “That is, it is likely to be used for privilege escalation once an attacker has been able to get a foot in the door, rather than a complete start-to-finish exploit chain. This is going to be more of a concern for sites that have many contributor or author users, as this means a wider attack surface. The main reason this is a concern is the sheer number of installations.”
Apart from a brief mention in the changelog, Elementor did not alert its users to the security issues on the product’s blog or social media accounts:
- Fix: Hardened allowed options in the editor to enforce better security policies
- Fix: Removed
htmloption in Lightbox module to prevent security issues
“Elementor was very responsive initially, though they didn’t keep us updated about the patches after the initial report,” Wordfence representative Kathy Zant said. “They do have a security contact listed on their site, which is always helpful. Often, security researchers have a difficult time identifying and contacting the right person with whom to share vulnerability proof-of-concepts, so we’re always grateful when we’re able to easily start those discussions.”
The latest version 3.1.4 contains the patches for these vulnerabilities, along with fixes for other less severe bugs in the plugin. Elementor users are advised to update as soon as possible to avoid the vulnerabilities being used for site takeover.