Wordfence security analysts found that virtually every plugin tried that adds functionality to Elementor had vulnerability. Many of the contacted plugin publishers updated their plugins but not every one of them reacted, including premium plugins.
The Elementor page builder plugin itself fixed a similar vulnerability in February 2021.
This vulnerability influences add-on plugins for Elementor that are created by third parties.
As indicated by Wordfence:
“We found the same vulnerabilities in nearly every plugin we reviewed that adds additional elements to the Elementor page builder.”
So it appears to be that this vulnerability is genuinely boundless inside the third-party plugins that are add-ons to Elementor.
A stored cross-site scripting vulnerability is especially dangerous because the malicious script is uploaded to and stored on the actual site. Then when a user visits the influenced site page the browser will execute the malicious script.
If the individual visiting the site is signed in and has administrator-level access then the script could be used to give that level of access to the hacker and lead to a complete site takeover.
This specific vulnerability allows an assailant with at least a contributor level permission to upload a script set up where a component (like a header component) should be.
The assault is like one that Elementor fixed in February 2021.
This is how the Elementor vulnerability is described:
“…the “Heading” element can be set to use H1, H2, H3, etc. tags in order to apply different heading sizes via the header_size parameter.
The list below of seventeen plugins for Elementor that were influenced is installed on millions of sites.
The following list is only an incomplete one.
If your outsider plugin that adds functionality to Elementor isn’t listed then it’s basic to check with the publisher to ensure if it has been verified whether it also contains this vulnerability.
Publishers using outsider plugins for Elementor should ensure that those plugins have been updated to fix this vulnerability.
While this vulnerability needs at least a contributor-level access, a hacker who is explicitly focusing on a site can leverage various attacks or strategies to acquire those credentials, including social engineering.
As indicated by Wordfence:
If your third-party add-on plugin to Elementor has not recently been updated to fix a vulnerability you might need to contact the publisher of that plugin to find out if it is safe.
We at CodeLedge, offer Sweden’s best WordPress development services. Our WordPress development experts are very professional to develop creative WordPress websites for every type of business. Email us at firstname.lastname@example.org or get a quote from here.