Elementor Page Builder Plugin Vulnerability

elementor

Popular WordPress page builder, Elementor has issued an update to patch a vulnerability called an Authenticated Reflected XSS. This kind of vulnerability allows a hacker to run a script from another site and do things such as steal login credentials.

The vulnerability involves causing a script to be loaded to the vulnerable site (for example through a search box), creating a URL that when followed will execute the script (that is hosted on another site). The hacker then sends a link to someone whose credentials could then be stolen by the hacker.

According to the WordPress Vulnerability Database, the proof of concept is being hidden until February 12th to give users time to update.

The website security company site that discovered the vulnerability (Impenetrable.tech) have published a walk-through of how they discovered the security flaw.

Screenshot from security company that discovered the vulnerability

Free Google Ads report finds improvements in 60 seconds
Based on actual data from your own campaigns.

Once they discovered the vulnerability they contacted the publishers of the Elementor Page Builder plugin and the publishers updated it right away.

Only after Elementor was patched did the security site publish an account of the vulnerability.

This vulnerability affects versions 2.8.4 and older. It is advisable to log into your WordPress website and update your site if you use the Elementor Page Builder plugin. The most current version of Elementor Page Builder is 2.8.5.

Once you sign into your WordPress account there should be an update link from the admin navigation ribbon at the top of the page, or you can access your updates page from the link in the admin sidebar to view all available updates.