Millions of WordPress sites affected by vulnerabilities in Elementor add-on plugins

April 19, 2021
Millions of WordPress sites affected by vulnerabilities in Elementor add-on plugins

Millions of WordPress sites affected by vulnerabilities in Elementor add-on plugins

Wordfence security analysts found that virtually every plugin tried that adds functionality to Elementor had vulnerability. Many of the contacted plugin publishers updated their plugins but not every one of them reacted, including premium plugins.

The Elementor page builder plugin itself fixed a similar vulnerability in February 2021.

This vulnerability influences add-on plugins for Elementor that are created by third parties.

As indicated by Wordfence:

“We found the same vulnerabilities in nearly every plugin we reviewed that adds additional elements to the Elementor page builder.”

So it appears to be that this vulnerability is genuinely boundless inside the third-party plugins that are add-ons to Elementor.

Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability is especially dangerous because the malicious script is uploaded to and stored on the actual site. Then when a user visits the influenced site page the browser will execute the malicious script.

If the individual visiting the site is signed in and has administrator-level access then the script could be used to give that level of access to the hacker and lead to a complete site takeover.

This specific vulnerability allows an assailant with at least a contributor level permission to upload a script set up where a component (like a header component) should be.

The assault is like one that Elementor fixed in February 2021.

This is how the Elementor vulnerability is described:

“…the “Heading” element can be set to use H1, H2, H3, etc. tags in order to apply different heading sizes via the header_size parameter.

Unfortunately, for six of these elements, the HTML tags were not validated on the server side, so it was possible for any user able to access the Elementor editor, including contributors, to use this option to add executable JavaScript to a post or page via a crafted request.”

List of Top Elementor Add-on Plugins Fixed

The list below of seventeen plugins for Elementor that were influenced is installed on millions of sites.

Of those plugins there are over 100 endpoints, which implies that there were different vulnerabilities in each of the plugins where an assailant could upload a malicious JavaScript file.

The following list is only an incomplete one.

If your outsider plugin that adds functionality to Elementor isn’t listed then it’s basic to check with the publisher to ensure if it has been verified whether it also contains this vulnerability.

List of Top 17 Patched Elementor Plugins

  1. Essential Addons for Elementor
  2. Elementor – Header, Footer & Blocks Template
  3. Ultimate Addons for Elementor
  4. Premium Addons for Elementor
  5. ElementsKit
  6. Elementor Addon Elements
  7. Livemesh Addons for Elementor
  8. HT Mega – Absolute Addons for Elementor Page Builder
  9. WooLentor – WooCommerce Elementor Addons + Builder
  10. PowerPack Addons for Elementor
  11. Image Hover Effects – Elementor Addon
  12. Rife Elementor Extensions & Templates
  13. The Plus Addons for Elementor Page Builder Lite
  14. All-in-One Addons for Elementor – WidgetKit
  15. JetWidgets For Elementor
  16. Sina Extension for Elementor
  17. DethemeKit For Elementor

What to Do if You Use an Elementor Plugin?

Publishers using outsider plugins for Elementor should ensure that those plugins have been updated to fix this vulnerability.

While this vulnerability needs at least a contributor-level access, a hacker who is explicitly focusing on a site can leverage various attacks or strategies to acquire those credentials, including social engineering.

As indicated by Wordfence:

“It may be easier for an attacker to obtain access to an account with contributor privileges than to gain administrative credentials, and a vulnerability of this type can be used to perform privilege escalation by executing JavaScript in a reviewing administrator’s browser session.”

If your third-party add-on plugin to Elementor has not recently been updated to fix a vulnerability you might need to contact the publisher of that plugin to find out if it is safe.


Recent Patches Rock the Elementor Ecosystem

We at CodeLedge, offer Sweden’s best WordPress development services. Our WordPress development experts are very professional to develop creative WordPress websites for every type of business. Email us at or get a quote from here.

Leave a Reply

Your email address will not be published. Required fields are marked *

Translate »