Essential Addons For Elementor Vulnerability Hits Over 2 Million WordPress Sites
Security experts issued an advice about the popular Essential Addons For Elementor WordPress plugin, which was found to contain a Stored Cross-Site Scripting vulnerability that affected over 2 million websites.
The vulnerabilities are the result of flaws in two separate widgets included with the plugin.
Two Widgets That Create Vulnerabilities
Essential Addons is a plugin that adds to the famous Elementor WordPress page builder. Anyone can easily construct websites using Elementor, and the Essential Addons allow you to add even more website functions and widgets.
The Vulnerability
Wordfence’s advisory stated that the plugin featured a Stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to upload a malicious script and attack website visitor browsers, which can lead to stealing session cookies in order to gain control of the website.
XSS vulnerabilities are among the most common, resulting from a failure to properly sanitize (screen or filter) fields that take user inputs such as text or images.
Plugins often “sanitize” inputs, which implies they remove unnecessary inputs such as scripts.
Another weakness that leads to an XSS vulnerability is a failure to “escape output,” which implies removing any output that contains undesired data in order to prevent it from reaching the browser.
Wordfence identifies both of these problems as contributing to the vulnerabilities.
Authenticated Attackers
The phrase “authenticated attackers” refers to the fact that a hacker must first gain website credentials before launching an attack. To exploit the Essential Addons for Elementor vulnerability, an attacker must have contributor or higher level access.
Medium Level Threat - Updates Are Recommended
The vulnerability is classified as a medium threat and has a score of 6.4 on a scale of 1 to 10, with 10 indicating the most critical level of risk.
Users of version 5.9.11 or lower are encouraged to upgrade to the most recent version of the plugin, which is currently version 5.9. 13.