Hello there, WordPress Wizards!
Hold onto your hats, because we have some important news to share concerning the popular Elementor WordPress Plugin. Brace yourselves as we reveal not one, not two, but six vulnerabilities that have entered this critical tool utilized by over 5 million websites globally! Can you believe it?
Elementor Universe
Consider this: a thriving hub of website creation where the Elementor Plugin reigns supreme. With its drag-and-drop simplicity, Elementor enables over 5 million active users worldwide to easily create gorgeous websites. Let's not forget about Elementor Pro, the superhero edition that includes complex widgets and useful e-commerce capabilities.
Vulnerability Meltdown
Hold onto your hats, because security experts have discovered six sneaky Cross-Site Scripting (XSS) vulnerabilities in both Elementor Website Builder and its Pro version. These flaws, which range from poor input sanitization to complex output escape, cause problems for millions of Elementor-powered websites.
Vulnerability Breakdown
Let's break down the vulnerability breakdown.
- Elementor Plugin not working? (CVE-2024-2117): This vulnerability, which exists in versions up to and including 3.20.2, allows for authorized DOM-Based Stored Cross-Site Scripting via the Path Widget.
- WordPress Elementor Plugin Vulnerability Strikes (CVE-2024-2120): Affects versions up to and including 3.20.1, allowing for authorized Stored Cross-Site Scripting via Post Navigation.
- Elementor Pro Plugin Under Siege (CVE-2024-1521): This vulnerability, which is present in versions up to and including 3.20.1, allows for authorized Stored Cross-Site Scripting via Form Widget SVGZ File Upload.
- Protecting Against Elementor Pro Plugin Vulnerability (CVE-2024-2121): Until version 3.20.1, this vulnerability caused authorized Stored Cross-Site Scripting via the Media Carousel widget.
- Defending against Elementor Plugin Vulnerabilities (CVE-2024-1364): This vulnerability, discovered in versions up to and including 3.20.1, allows for authorized Stored Cross-Site Scripting via the widget's custom_id.
- Navigating the Elementor Plugin Vulnerability Maze (CVE-2024-2781): This vulnerability, which exists in versions up to and including 3.20.1, allows for authenticated DOM-Based Stored Cross-Site Scripting via the video_html_tag.
Recommended Action
To avoid digital threats, Elementor users (free and Pro) should update their plugins as soon as possible. While exploiting these flaws requires contributor-level rights, we shouldn't take any chances, especially when it comes to protecting our online kingdoms.Stay in the Loop
To stay up to date, go to the official Wordfence bulletins for further information on each vulnerability.
- Elementor Website Builder - More than Just a Page Builder <= 3.20.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Path Widget CVE-2024-2117
- Elementor Website Builder: More than Just a Page Builder <= 3.20.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Navigation CVE-2024-2120
- Elementor Website Builder Pro <= 3.20.1 - Authorized (Contributor+) Stored Cross-Site Scripting via Form Widget SVGZ File Upload CVE-2024-1521
- Elementor Website Builder Pro <= 3.20.1: Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-2121
- Elementor Website Builder Pro <= 3.20.1 – Authententicated (Contributor+) Stored Cross-Site Scripting via widget’s custom_id CVE-2024-1364
- Elementor Website Builder Pro <= 3.20.1 – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via video_html_tag CVE-2024-2781
Conclusion
Vigilance is key when it comes to website security. Let us stay one step ahead of the hackers and keep our WordPress realms safe and secure. For additional information on the vulnerabilities revealed in Elementor Add-Ons, see the complete article here
Until next time, be careful and clever!
Your trusted WordPress friends.