News 04 Apr , 2024 3 Million WordPress Sites Hit By 15 Elementor Vulnerabilities In 11 Elementor Addons: Act Now To Secure Your Site Valdis Strautiņš Experts have recently cautioned about vulnerabilities found in eleven Elementor add-on plugins, totaling 15 potential security loopholes. These Elementor vulnerabilities could potentially facilitate the uploading of malicious files by unauthorized parties. Among these 15, a particular vulnerability stands out as highly concerning, as it enables hackers to bypass access controls, execute scripts, and gain access to sensitive data. List of Elementor Vulnerable Add-Ons ElementsKit Elementor addons (2 Vulnerabilities) (High Severity vulnerability) Unlimited Elements For Elementor 140+ Widgets | Best Addons For Elementor Better Elementor Addons Elementor Addon Elements (2 Vulnerabilities) Master Addons for Elementor The Plus Addons for Elementor (2 Vulnerabilities) Essential Addons for Elementor (2 Vulnerabilities) Element Pack Elementor Addons Prime Slider – Addons For Elementor Move Addons for Elementor Above is the list of plugins, arranged in descending order of the most recent advisories to the earliest. Multiple plugins exhibit more than one vulnerability, resulting in a total of 15 vulnerabilities across the eleven plugins. Among these, one plugin is classified as having a High Severity vulnerability, while the others are Medium Severity. Types of vulnerabilities: Stored Cross Site Scripting (XSS) and Local File Inclusion. XSS vulnerabilities represent a prevalent issue in WordPress plugins and themes. They typically stem from inadequacies in input data security (input sanitization) and output data protection (output escaping). On the other hand, a Local File Inclusion vulnerability exploits an inadequately secured user input area, enabling an attacker to “include” a file into the input. In simpler terms, this involves a coding mechanism where a specific code from a file (such as a PHP file) is incorporated into the website. This type of vulnerability poses a significant threat as it grants attackers the ability to “include” a wide array of code, potentially bypassing any restrictions on website actions and gaining access to normally restricted sensitive data. High Severity The identified High Severity vulnerability within the ElementsKit Elementor Addons plugin for WordPress raises significant concerns, as it potentially jeopardizes over a million websites. Rated at 8.8 on a severity scale of 1 to 10, its widespread usage contributes to the heightened risk it poses. ElementsKit Elementor Addons plugin ElementsKit Elementor Addons plugins’ popularity stems from its comprehensive functionality, offering users an all-in-one solution for effortless modification of on-page design elements within headers, footers, and menus. Additionally, it boasts an extensive template library and 85 widgets, enhancing the functionality of webpages built using the Elementor website building platform. The Wordfence security researchers: “The ElementsKit Elementor addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.0.6 via the render_raw function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.” Millions of Sites Affected The Elementor vulnerabilities identified have the potential to impact a staggering number of websites, estimated to exceed 3 million in total. Notably, just two of these plugins alone account for three million active installations. Often, websites opt for one of these plugins due to feature overlap, making it unnecessary to utilize multiple plugins simultaneously. The comprehensive functionality offered by some of these plugins further consolidates their appeal, as they provide access to essential widgets for incorporating sliders, menus, and various on-page elements. This all-in-one approach streamlines website management, requiring only a single plugin for crucial design enhancements. Are These Elementor Vulnerabilities Important and How To Fix Them? While some medium-level severity Elementor vulnerabilities may necessitate hackers to attain contributor-level authentication for initiating an attack, it’s essential not to overlook the potential risks posed by other plugins or installed themes. These could inadvertently grant attackers the capability to execute such attacks. Take a look at the Wordfence advisories for more details on these vulnerabilities and ways you can fix them. There is also an easier way for you to get rid of these vulnerabilities. We are here to help you make your site less vulnerable and more protected. We will get rid of these threats and help you secure your site. Trust professionals: Contact us Read the official Wordfence advisories: ElementsKit Elementor addons <= 3.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting ElementsKit Elementor addons <= 3.0.6 – Authenticated (Contributor+) Local File Inclusion in render_raw Unlimited Elements For Elementor <= 1.5.96 – Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Link 140+ Widgets | Best Addons For Elementor – FREE <= 1.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting Better Elementor Addons <= 1.4.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via widget links Elementor Addon Elements <= 1.13.1 – Authenticated (Contributor+) Stored Cross-Site Scripting Elementor Addon Elements <= 1.13.2 – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via ‘Text Separator’ and ‘Image Compare’ Widget Master Addons for Elementor <= 2.0.5.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Table Widget The Plus Addons for Elementor <= 5.4.1 – Authenticated (Contributor+) Local File Inclusion via Team Member Listing The Plus Addons for Elementor <= 5.4.1 – Authenticated (Contributor+) Local File Inclusion via Clients Widget Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.11 – Authenticated (Contributor+) Stored Cross-Site Scripting Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.11 – Authenticated (Contributor+) Stored Cross-Site Scripting Element Pack Elementor Addons <= 5.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via link Prime Slider – Addons For Elementor <= 3.13.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via title Move Addons for Elementor <= 1.2.9 – Authenticated (Contributor+) Stored Cross-Site Scripting