by Ram Gall, Wordfence
April 13, 2021
Over the last few weeks, the Wordfence Threat Intelligence team has responsibly disclosed vulnerabilities in more than 15 of the most popular addon plugins for Elementor, which are collectively installed on over 3.5 million sites. All together, our team found over 100 vulnerable endpoints.
These vulnerabilities are covered by the same Wordfence firewall rule that we created for the original Elementor vulnerability, which has been available to free Wordfence users since March 25, 2021.
Which plugins were impacted?
We found the same vulnerabilities in nearly every plugin we reviewed that adds additional elements to the Elementor page builder.
We have attempted to notify the developers and publishers of as many vulnerable plugins as possible, and have advised them to review their premium plugins for similar issues.
In most cases the plugin developers we contacted have patched quickly, but a few failed to respond to our initial contact request. In these cases, we contacted the WordPress plugins repository to have the vulnerable plugins reviewed.
Due to the sheer number of plugins that add new elements to Elementor, some may likely still be vulnerable, especially in cases where the plugin code was not freely available for us to review, as is the case with many premium plugins.
Note that we have only listed plugins that have been patched at this time. If your site is running any of these plugins, we strongly recommend updating as soon as possible. If your site is running a plugin that adds functionality to Elementor through new elements or widgets, and it is not listed here, we recommend contacting the plugin author or developer to verify that they have audited their plugin for these issues.
Affected Plugins: Listed below
Plugin Slugs: Listed below
Fully Patched Versions: Listed below]
- Essential Addons for Elementor (essential-addons-for-elementor-lite), 1M+ Installations
Versions < 4.5.4 are vulnerable, patched in version 4.5.4
- Elementor – Header, Footer & Blocks Template (header-footer-elementor), 1M+ Installations
Versions < 1.5.8 are vulnerable, patched in version 1.5.8
- Ultimate Addons for Elementor (ultimate-elementor), 600k+ Installations
Versions < 1.30.0 are vulnerable, patched in version 1.30.0
- Premium Addons for Elementor (premium-addons-for-elementor), 400k+ Installations
Versions < 4.2.8 are vulnerable, patched in version 4.2.8
- ElementsKit (elementskit-lite) and ElementsKit Pro (elementskit), 300k+ Installations
Versions < 2.2.0 are vulnerable, patched in version 2.2.0
- Elementor Addon Elements (addon-elements-for-elementor-page-builder), 100k+ Installations
Versions < 1.11.2 are vulnerable, patched in version 1.11.2
- Livemesh Addons for Elementor (addons-for-elementor), 100k+ Installations
Versions < 6.8 are vulnerable, patched in version 6.8
- HT Mega – Absolute Addons for Elementor Page Builder (ht-mega-for-elementor), 70k+ Installations
Versions < 1.5.7 are vulnerable, patched in version 1.5.7
- WooLentor – WooCommerce Elementor Addons + Builder (woolentor-addons), 50k+ Installations
Versions < 1.8.6 are vulnerable, patched in version 1.8.6
- PowerPack Addons for Elementor (powerpack-lite-for-elementor), 50k+ Installations
Versions < 2.3.2 are vulnerable, patched in version 2.3.2
- Image Hover Effects – Elementor Addon (image-hover-effects-addon-for-elementor), 40k+ Installations
Versions < 1.3.4 are vulnerable, patched in version 1.3.4
- Rife Elementor Extensions & Templates (rife-elementor-extensions), 30k+ Installations
Versions < 1.1.6 are vulnerable, patched in version 1.1.6
- The Plus Addons for Elementor Page Builder Lite (the-plus-addons-for-elementor-page-builder), 30k+ Installations
Versions < 2.0.6 are vulnerable, patched in version 2.0.6
- All-in-One Addons for Elementor – WidgetKit (widgetkit-for-elementor), 20k+ Installations
Versions < 2.3.10 are vulnerable, patched in version 2.3.10
- JetWidgets For Elementor (jetwidgets-for-elementor), 10k+ Installations
Versions < 1.0.9 are vulnerable, patched in version 1.0.9
- Sina Extension for Elementor (sina-extension-for-elementor), 10k+ Installations
Versions < 3.3.12 are vulnerable, patched in version 3.3.12
- DethemeKit For Elementor (dethemekit-for-elementor), 8k+ Installations
Versions < 126.96.36.199 are vulnerable, patched in version 188.8.131.52
As with the vulnerabilities in the main Elementor plugin, each of these plugins added elements that allowed users to select an HTML tag from a drop-down menu in order to add formatting to a title or other text. Unfortunately, the tag options were not enforced on the server side and would be echoed out when displaying the element.
Who should be worried about this?
Sites that have multiple users that contribute content and are running an unpatched version of one of the plugins listed above should be considered at risk. Vulnerabilities of this type are unlikely to be exploited at scale, but are extremely valuable to attackers targeting individual sites. This applies especially to high-profile media sites or other sites likely to be specifically targeted by attackers. If you are the sole user on your site, then this will not affect you.