- A large number of sites using various ‘Elementor’ plugins are vulnerable to XSS flaws.
- The attacks aren’t large-scale but can cause great damage to specific targets nonetheless.
- Updating your ‘Elementor’ plugins to the latest available version addresses the associated risks.
Whenever that post is viewed, edited, or previewed by another user of the website, the snippet runs. If the code is crafted maliciously, the possibilities could go as high as gaining admin access on the site.
The following plugins are vulnerable to these cross-site scripting flaws:
- Essential Addons for Elementor – prior to v4.5.4, 1 million installations
- Elementor – Header, Footer & Blocks Template – prior to v1.5.8, 1 million installations
- Ultimate Addons for Elementor – prior to v1.30.0, 600k installations
- Premium Addons for Elementor – prior to v4.2.8, 400k installations
- ElementsKit– prior to v2.2.0 300k installations
- Elementor Addon Elements – prior to v1.11.2, 100k installations
- Livemesh Addons for Elementor– prior to v6.8, 100k installations
- HT Mega – Absolute Addons for Elementor Page Builder – prior to v1.5.7, 70k installations
- WooLentor – WooCommerce Elementor Addons + Builder – prior to v1.8.6, 50k installations
- PowerPack Addons for Elementor – prior to v2.3.2, 50k installations
- Image Hover Effects – Elementor Addon– prior to v1.3.4, 40k installations
- Rife Elementor Extensions & Templates– prior to v1.1.6, 30k installations
- The Plus Addons for Elementor Page Builder Lite – prior to v2.0.6, 30k installations
- All-in-One Addons for Elementor – WidgetKit – prior to v2.3.10, 20k installations
- JetWidgets For Elementor – prior to v1.0.9, 10k installations
- Sina Extension for Elementor – prior to v3.3.12, 10k installations
- DethemeKit For Elementor – prior to v184.108.40.206, 8k installations
If you manage a website using any of the above plugins, make sure to update to the latest available version to avoid any nasty XSS surprises to you or your contributors. Remember, the attacks rely on privilege escalation, so seeing your website taken over and wiped just because you were running a vulnerable Elementor plugin is possible.
If you are a developer who publishes plugins to help extend the functionality of Elementor, you should also review your code and scrutinize the base that you’ve used for relevant flaws. While these vulnerabilities aren’t being exploited en masse, they are excellent tools for highly targeted actors.