Security vulnerabilities in Several Elementor Addons
Recent Patches Rock the Elementor Ecosystem
by Ram Gall, Wordfence
April 13, 2021
Over the last few weeks, the Wordfence Threat Intelligence team has responsibly disclosed vulnerabilities in more than 15 of the most popular addon plugins for Elementor, which are collectively installed on over 3.5 million sites. All together, our team found over 100 vulnerable endpoints.
These stored Cross-Site Scripting vulnerabilities were similar in execution to the recently published vulnerabilities in the main Elementor plugin. They allowed any user able to access the Elementor editor, including contributors, to add JavaScript to posts. This JavaScript would be executed if the post was viewed, edited, or previewed by any other site user, and could be used to take over a site if the victim was an administrator.
These vulnerabilities are covered by the same Wordfence firewall rule that we created for the original Elementor vulnerability, which has been available to free Wordfence users since March 25, 2021.
Which plugins were impacted?
We found the same vulnerabilities in nearly every plugin we reviewed that adds additional elements to the Elementor page builder.
We have attempted to notify the developers and publishers of as many vulnerable plugins as possible, and have advised them to review their premium plugins for similar issues.
In most cases the plugin developers we contacted have patched quickly, but a few failed to respond to our initial contact request. In these cases, we contacted the WordPress plugins repository to have the vulnerable plugins reviewed.
Due to the sheer number of plugins that add new elements to Elementor, some may likely still be vulnerable, especially in cases where the plugin code was not freely available for us to review, as is the case with many premium plugins.
Note that we have only listed plugins that have been patched at this time. If your site is running any of these plugins, we strongly recommend updating as soon as possible. If your site is running a plugin that adds functionality to Elementor through new elements or widgets, and it is not listed here, we recommend contacting the plugin author or developer to verify that they have audited their plugin for these issues.
Affected Plugins: Listed below
Plugin Slugs: Listed below
Fully Patched Versions: Listed below]
- Essential Addons for Elementor (essential-addons-for-elementor-lite), 1M+ Installations
Versions < 4.5.4 are vulnerable, patched in version 4.5.4 - Elementor – Header, Footer & Blocks Template (header-footer-elementor), 1M+ Installations
Versions < 1.5.8 are vulnerable, patched in version 1.5.8 - Ultimate Addons for Elementor (ultimate-elementor), 600k+ Installations
Versions < 1.30.0 are vulnerable, patched in version 1.30.0 - Premium Addons for Elementor (premium-addons-for-elementor), 400k+ Installations
Versions < 4.2.8 are vulnerable, patched in version 4.2.8 - ElementsKit (elementskit-lite) and ElementsKit Pro (elementskit), 300k+ Installations
Versions < 2.2.0 are vulnerable, patched in version 2.2.0 - Elementor Addon Elements (addon-elements-for-elementor-page-builder), 100k+ Installations
Versions < 1.11.2 are vulnerable, patched in version 1.11.2 - Livemesh Addons for Elementor (addons-for-elementor), 100k+ Installations
Versions < 6.8 are vulnerable, patched in version 6.8 - HT Mega – Absolute Addons for Elementor Page Builder (ht-mega-for-elementor), 70k+ Installations
Versions < 1.5.7 are vulnerable, patched in version 1.5.7 - WooLentor – WooCommerce Elementor Addons + Builder (woolentor-addons), 50k+ Installations
Versions < 1.8.6 are vulnerable, patched in version 1.8.6 - PowerPack Addons for Elementor (powerpack-lite-for-elementor), 50k+ Installations
Versions < 2.3.2 are vulnerable, patched in version 2.3.2 - Image Hover Effects – Elementor Addon (image-hover-effects-addon-for-elementor), 40k+ Installations
Versions < 1.3.4 are vulnerable, patched in version 1.3.4 - Rife Elementor Extensions & Templates (rife-elementor-extensions), 30k+ Installations
Versions < 1.1.6 are vulnerable, patched in version 1.1.6 - The Plus Addons for Elementor Page Builder Lite (the-plus-addons-for-elementor-page-builder), 30k+ Installations
Versions < 2.0.6 are vulnerable, patched in version 2.0.6 - All-in-One Addons for Elementor – WidgetKit (widgetkit-for-elementor), 20k+ Installations
Versions < 2.3.10 are vulnerable, patched in version 2.3.10 - JetWidgets For Elementor (jetwidgets-for-elementor), 10k+ Installations
Versions < 1.0.9 are vulnerable, patched in version 1.0.9 - Sina Extension for Elementor (sina-extension-for-elementor), 10k+ Installations
Versions < 3.3.12 are vulnerable, patched in version 3.3.12 - DethemeKit For Elementor (dethemekit-for-elementor), 8k+ Installations
Versions < 1.5.5.5 are vulnerable, patched in version 1.5.5.5
As with the vulnerabilities in the main Elementor plugin, each of these plugins added elements that allowed users to select an HTML tag from a drop-down menu in order to add formatting to a title or other text. Unfortunately, the tag options were not enforced on the server side and would be echoed out when displaying the element.
An attacker could, for instance, intercept a request where they added a title element, and change an “H5” heading tag to a “script” tag. In many cases it was possible to add JavaScript directly via one of these tags, while other plugins enforced various levels of sanitization. Even for plugins that performed sanitization on output, it was still often possible to set the HTML tag use to a remotely sourced script, or to simply set the tag to “script” and place the JavaScript to be executed in the actual title or a similar parameter.
Who should be worried about this?
Sites that have multiple users that contribute content and are running an unpatched version of one of the plugins listed above should be considered at risk. Vulnerabilities of this type are unlikely to be exploited at scale, but are extremely valuable to attackers targeting individual sites. This applies especially to high-profile media sites or other sites likely to be specifically targeted by attackers. If you are the sole user on your site, then this will not affect you.
While all of the vulnerabilities in question require an attacker to gain access to an account with at least “contributor” permissions to exploit, the contributor role is not considered a trusted role. Any content written by contributors must be reviewed by an Editor or an Administrator before it can be published. It may be easier for an attacker to obtain access to an account with contributor privileges than to gain administrative credentials, and a vulnerability of this type can be used to perform privilege escalation by executing JavaScript in a reviewing administrator’s browser session.
Read more…
Leave a comment