XSS Vulnerability in Essential Addons for Elementor Affects Over 2M Sites

A significant security concern has been raised for users of the Essential Addons for Elementor plugin on WordPress, affecting more than two million websites. The plugin, widely used to enhance the Elementor WordPress page builder with additional features and widgets, has been found to have a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability puts a vast number of websites at risk, highlighting the need for immediate updates and vigilance among users.

The Core of the Vulnerability

The vulnerability stems from flaws in two specific widgets within the Essential Addons plugin: the Countdown Widget and the Woo Product Carousel Widget. These vulnerabilities can potentially allow attackers to execute malicious scripts on a website, compromising the security of the site and its visitors. Such scripts could enable attackers to steal session cookies, thus gaining unauthorized control over websites.

Stored Cross-Site Scripting vulnerabilities are particularly concerning because they arise from improper sanitization of inputs — such as text or images — that users can upload. Proper sanitization involves filtering out harmful scripts, a standard security measure that was overlooked in this instance. Additionally, the failure to escape outputs, which prevents dangerous data from being displayed in browsers, was identified as another contributing factor to the vulnerability.

Specifics of the Flaw

Security experts at Wordfence, who issued the advisory/2, detailed the vulnerabilities. The Countdown Widget was found to be exploitable through the message parameter, allowing attackers with at least contributor access to inject harmful web scripts. Similarly, the Woo Product Carousel Widget’s alignment parameter was identified as a vector for XSS attacks. These vulnerabilities highlight the importance of stringent input sanitization and output escaping in web development.

Implications for Website Owners

The term “authenticated attackers” refers to the requirement that attackers need valid website credentials at a contributor level or higher to exploit these vulnerabilities. This aspect slightly mitigates the risk but does not eliminate the need for immediate action by website administrators.

Wordfence has rated the vulnerability as a medium-level threat, assigning it a 6.4 out of 10 on the severity scale. Users of the Essential Addons plugin, particularly those running version 5.9.11 or earlier, are urged to update to the latest version (currently 5.9.13) to protect their sites from potential attacks.

Conclusion

The discovery of this vulnerability serves as a critical reminder of the importance of regular updates and security audits for WordPress plugins. By staying informed and proactive, website owners can safeguard their sites against emerging threats and ensure a secure online experience for their visitors.