Elementor, the most popular WordPress plugin is impacted by a vulnerability called “Stored Cross-site Scripting”. With this, an attacker can initiate a malicious script even with the lowest level of user role. This vulnerability could lead to a complete site takeover also.
Elementor is the World’s biggest WordPress Website Builder is with more than 7 million active installations. The fact is half of all Elementor installs are not up to date, leaving millions of sites vulnerable.
“These vulnerabilities allowed any user able to access the Elementor editor, including contributors, to add JavaScript to posts. This JavaScript would be executed if the post was viewed, edited, or previewed by any other site user, and could be used to take over a site if the victim was an administrator. we recommend treating these vulnerabilities with greater than normal urgency.”
–Wordfence
Security researcher Ram Gall at Wordfence says “The vulnerabilities we found were present in the Free version of Elementor, which needs to be installed in order for Elementor Pro to function. That is, if you have Elementor Pro installed, you should still make sure to keep the underlying Elementor installation up to date”.
These vulnerabilities could be exploited via components like “Columns” “Accordion”, “Icon Box”, “Image Box”, “Heading”, and “Divider”.
Users can find a detailed report here.
Users are advised to update to the latest version 3.1.4 as soon as possible. Version 3.1.4 contains some patches for the above vulnerabilities. The full patch update is expected by March 25, 2021 – The firewall rule becomes available to free users. So please be sure to track and update the plugin as soon as you can.