Essential Addons for Elementor Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2023-7044 | WordPress Plugin Vulnerability Report
Plugin Name: Essential al Addons for Elementor
Key Information:
- Software Type: Plugin
- Software Slug: essential-addons-for-elementor-lite
- Software Status: Active
- Software Author: wpdevteam
- Software Downloads: 62,990,243
- Active Installs: 1,000,000
- Last Updated: January 3, 2024
- Patched Versions: 5.9.3
- Affected Versions: <= 5.9.2
Vulnerability Details:
- Name: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting
- Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE: CVE-2023-7044
- CVSS Score: 6.4 (Medium)
- Publicly Published: January 3, 2024
- Researcher: Webbernaut
- Description: The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom ID in all versions up to, and including, 5.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor access and higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Summary:
The Essential Addons for Elementor plugin for WordPress has a vulnerability in versions up to and including 5.9.2 that allows authenticated users with contributor access or higher to inject malicious JavaScript that will execute when pages are loaded. This vulnerability has been patched in version 5.9.3.
Detailed Overview:
A vulnerability classified as Stored Cross-Site Scripting was discovered in the Essential Addons for Elementor plugin by researcher Webbernaut. This vulnerability allows authenticated users with contributor access or higher to inject arbitrary JavaScript payloads into Elementor templates via a custom ID parameter. The payloads are then stored and will execute whenever a user accesses an injected page. This could allow malicious users to steal session cookies or sensitive information. While the access requirements limit the exploitation vector, it still poses a risk to users. Developers have addressed the insufficient input sanitization and output escaping issues in version 5.9.3. All users are urged to update immediately.
Advice for Users:
- Immediate Action: Update to version 5.9.3 or later as soon possible.
- Check for Signs of Vulnerability: Review page templates for unauthorized JavaScript.
- Alternate Plugins: Consider alternate page builder plugins like Beaver Builder if concerned.
- Stay Updated: Always keep plugins updated to avoid vulnerable versions.
Conclusion:
The response by wpdevteam to address this vulnerability reinforces the need to promptly install security updates. Users should upgrade to version 5.9.3 to mitigate any potential attacks leveraging this issue on their WordPress sites.
References:
Detailed Report:
Keeping your WordPress website secure should be a priority for any business relying on an online presence, but staying on top of vulnerabilities can feel impossible. Unfortunately, popular page builder plugin Essential Addons for Elementor was recently revealed to have a stored cross-site scripting flaw that puts outdated installations at serious risk. Don’t let your hard work be compromised by outdated software. By taking a few proactive security measures, you can protect your business website despite having minimal time for website administration.
The Vulnerability Explained
Researcher Webbernaut disclosed the vulnerability tracked as CVE-2023-7044 affecting Essential Addons for Elementor versions up to and including 5.9.2 in early January 2024. The plugin is actively installed on over 1 million WordPress sites.
The vulnerability allows authenticated users with contributor access or higher privileges to inject arbitrary JavaScript code into page templates and themes within the Elementor editor. This malicious code then gets stored and executed whenever a vulnerable page is visited by any user.
Impacts to Businesses
This vulnerability means an authorized user could leverage their access to compromise business sites relying on older versions of Essential Addons for Elementor. Attackers could steal session cookies, hijack admin accounts, extract sensitive customer or business data, or insert unwanted content.
While the vulnerability was addressed promptly in version 5.9.3, many businesses have not yet updated. Every day without patching exposes WordPress sites to potential compromise through this specific flaw.
Remediating the Vulnerability
- Update Essential Addons for Elementor to version 5.9.3 or newer. This patches the vulnerability at its core by addressing the underlying code flaws.
- Scan page templates and themes for unauthorized code. Watch for malicious JavaScript that may have been injected already. Remove anything suspicious.
- Limit contributor accounts only to those that need them. Reduce exposure by ensuring editing access is restricted properly across your website.
Staying on top of vulnerabilities like this can be challenging, but with a layered approach you can secure your website despite limited time. Set calendar reminders to periodically check plugins and themes for updates. Enlist support to receive notifications whenever vulnerabilities in key software are disclosed. Prioritize upgrades that fix security flaws.
While the Internet introduces growing threats, don’t let them stop your business success. Take the steps to shift website security from an afterthought to a priority. Protect your hard work by proactively securing your online presence against compromise through vulnerabilities like this.
Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.
Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.