Elementor Vulnerabilities Found
Security experts have recently issued a warning about six unique Cross-Site Scripting (XSS) vulnerabilities identified in both the Elementor Website Builder and its Pro edition. These vulnerabilities could potentially enable cyber attackers to execute malicious scripts.
Read more: Elementor Vulnerabilities FoundOverview of Elementor Website Builder
Elementor, a premier platform for building websites, is utilized by over 5 million active users globally, with claims from the official WordPress repository suggesting it powers more than 16 million websites worldwide. Its user-friendly drag-and-drop interface enables users to effortlessly craft professional-looking websites. The Pro version enhances this platform by offering additional widgets and sophisticated ecommerce features.
Due to its widespread popularity, Elementor has unfortunately become a prime target for malicious hackers, making these six vulnerabilities particularly alarming.
Details of the XSS Vulnerabilities
The vulnerabilities discovered in both the standard and Pro versions of Elementor Website Builder encompass six distinct XSS issues. Five of these vulnerabilities arise from inadequate input sanitation and output escaping, with one resulting from insufficient input sanitation alone.
Input sanitation is an essential coding protocol designed to secure parts of a plugin where users can enter data or upload files. This method prevents any non-conforming input, such as scripts or HTML, ensuring that only expected data types are allowed. Meanwhile, output escaping secures the plugin’s browser outputs, safeguarding site visitors from harmful scripts.
The WordPress Developer Handbook underscores the importance of input sanitization as a means of securing, cleaning, or filtering input data.
It is critical to understand that each of these six vulnerabilities is unique and not related to the others, pointing to a need for improved security measures on Elementor’s part. Notably, one vulnerability, identified as CVE-2024-2120, may affect both the free and Pro versions of the software. Efforts to clarify this with Wordfence are ongoing, and updates will be provided as new information becomes available.
List of Vulnerabilities in Elementor
- CVE-2024-2117 (Elementor Website Builder): Up to version 3.20.2 – Authenticated DOM-Based Stored XSS via Path Widget
- CVE-2024-2120 (Elementor Website Builder Pro): Up to version 3.20.1 – Authenticated Stored XSS via Post Navigation
- CVE-2024-1521 (Elementor Website Builder Pro): Up to version 3.20.1 – Authenticated Stored XSS via Form Widget SVGZ File Upload (affects only NGINX servers)
- CVE-2024-2121 (Elementor Website Builder Pro): Up to version 3.20.1 – Authenticated Stored XSS via Media Carousel widget
- CVE-2024-1364 (Elementor Website Builder Pro): Up to version 3.20.1 – Authenticated Stored XSS via widget’s custom_id
- CVE-2024-2781 (Elementor Website Builder Pro): Up to version 3.20.1 – Authenticated DOM-Based Stored XSS via video_html_tag
All vulnerabilities are deemed medium security threats, requiring a contributor-level permission for exploitation.
Changelog Insights
Wordfence reports two vulnerabilities affecting the free version of Elementor, but the changelog mentions a fix for only one. The affected widgets are the Path Widget and Post Navigation Widget, with only the Text Path Widget receiving a documented fix. The Elementor Pro changelog, however, confirms fixes for all mentioned vulnerabilities, suggesting a possible oversight in the free version’s documentation.
Recommendation for Elementor Users
To mitigate these security risks, it is strongly recommended for users of both Elementor versions to update their plugins to the latest releases. Despite the requirement for attacker-contributor level permission, the potential for exploitation exists, especially if contributors use weak passwords.
If you need assistance with this task, please book a webmaster session with us so we can perform a full audit of your site as well as perform updates, backups and other essential tasks.