A new Essential Addons For Elementor vulnerability has been revealed, affecting over 2 million websites utilizing the popular WordPress plugin. Security researchers have flagged Stored Cross-Site Scripting (XSS) vulnerabilities within this plugin, which could potentially pave the way for attackers to inject malicious scripts into WordPress websites.
The vulnerability stems from flaws identified in two integral widgets incorporated within the Essential Addons plugin, namely the Countdown Widget and the Woo Product Carousel Widget.
These Elementor vulnerabilities have raised concerns among website owners and developers alike due to their widespread impact. The vulnerability was reported by security researcher Ngô Thiên An (ancorn_) and Wordfence gave it a rating of 6.4 on the vulnerability scale, affecting versions from 5.9.11 and below.
Decoding the Essential Addons for Elementor Vulnerability
Essential Addons For Elementor serves as an extension to the Elementor WordPress page builder, empowering users to enhance their websites with a ton of features and widgets. However, the recent report of XSS vulnerabilities within this plugin puts millions of users at risk since the plugin has an active installation of 2+ million.
According to a security advisory published by Wordfence, the vulnerability specifically targets the “Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders” plugin, up to version 5.9.11. The vulnerability, categorized as “Authenticated (Contributor+) Stored Cross-Site Scripting,” highlights lapses in input sanitization and output escaping mechanisms within the affected widgets.
This vulnerability, assigned a severity score of 6.4 on the Wordfence vulnerability scale, highlights the potential risks associated with improper input validation. Furthermore, the advisory outlines the possibility for authenticated attackers, with contributor-level access or higher, to exploit the vulnerability by injecting arbitrary web scripts into affected pages.
Essential Addons for Elementor Responds to the Vulnerability
The developers behind Essential Addons for Elementor have addressed the recent vulnerability by releasing a comprehensive security patch. This patch not only tackles the Stored Cross-Site Scripting (XSS) vulnerabilities but also addresses various other flaws within the WordPress plugin.
In their latest patch version 5.9.13, several critical issues have been resolved, including fixes for the EA Table of Contents, ensuring it no longer throws PHP Fatal errors when the Display on option is set to Custom Post Types. Additionally, minor bug fixes and improvements have been implemented to enhance the overall stability and performance of the plugin.
Previous versions, such as 5.9.12 and 5.9.11, also saw fixes to key functionalities. For instance, issues with the EA Pricing Table, EA Advanced Accordion, EA Advanced Tabs, and EA Login Register Form have been addressed, ensuring seamless operation across various features.
Furthermore, compatibility with popular themes and plugins like Fluent Form and Gravity Forms has been improved, minimizing conflicts and enhancing user experience. Alongside security updates, improvements in accessibility support have been made, ensuring that the plugin remains inclusive and user-friendly for all website visitors.
The Stored Cross-Site Scripting (XSS) Pandemic
Stored Cross-Site Scripting (XSS) vulnerabilities pose a threat to website security, enabling attackers to execute malicious scripts within the browsers of unsuspecting visitors. Such attacks could potentially lead to the theft of session cookies, thereby granting unauthorized access to sensitive website functionalities.
XSS vulnerabilities are prevalent in web applications and often result from inadequate input sanitization and output escaping mechanisms. These vulnerabilities have taken a toll on WordPress users recently with many plugins having inadequate security settings, allowing threat actors to exploit the vulnerability and initiate remote code execution.
According to Wordfence, the Essential Addons for Elementor vulnerability “makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”
Previously, Wordfence reported the same vulnerability within the Rank Math plugin. Researcher Ngô Thiên An (ancorn_) uncovered the vulnerability within the Rank Math plugin, which impacts versions up to and including 1.0.214. The vulnerability is associated with the plugin’s management of attributes within the HowTo block.
This lapse in input sanitization and output escaping means that authenticated attackers with contributor-level access or higher can inject arbitrary web scripts. These scripts have the potential to execute whenever a user interacts with the compromised page, posing a risk to user sessions and sensitive data.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
