Researchers have discovered a vulnerability called Authenticated Reflected XSS in the WordPress page builder, Elementor.
With over 3 million installs, Elementor is one of the most popular plugins on WordPress. Users depend on the plugin for frontend drag & drop page designs.
While the plugin appeared to function correctly, a website security firm, Impenetrable.tech, thought Elementor may contain a bug or two. So, it set out to identify the security risks in the plugin.
The security company wrote in a blog post:
“The plugin seems to be very well implemented, but there is always a sneaky XSS somewhere. So in comes Burp Suite’s intruder dropping a whole heap of payloads into every dynamic part of the application….and…..bingo!”
Upon discovering the vulnerabilities, Impenetrable.tech contacted the publishers of Elementor Page Builder and the WordPress plugin was immediately updated.
Here’s what you should know about the security flaw.
About Authenticated Reflected XSS in Elementor Page Builder
If exploited, the security flaw can enable hackers to run a script from another website to steal login credentials.
Attackers could cause a script to be loaded to the vulnerable site through a search box, for example. Then, they can create a URL that would execute the script when followed. Â Finally, the hackers can forward the link to the person whose credentials they intend to steal.
To give users time to update, the proof of concept will remain hidden until February 12th. So, it’s unclear whether an attacker can use this exploit to steal and Elementor publisher’s admin details.
The one clear thing is that you need to log into your WordPress site to update the Elementor Page Builder.
The vulnerability affects version 2.8.4 of the plugin and older. So, you may want to update to the latest version, 2.8.5.
In your WordPress account, you should see an update link from the admin navigation ribbon at the top of the page. Another option is to access the update page via the link in the admin sidebar.
Comments (0)
Most Recent