Plugin Name: Essential al Addons for Elementor
- Software Type: Plugin
- Software Slug: essential-addons-for-elementor-lite
- Software Status: Active
- Software Author: wpdevteam
- Software Downloads: 62,990,243
- Active Installs: 1,000,000
- Last Updated: January 3, 2024
- Patched Versions: 5.9.3
- Affected Versions: <= 5.9.2
- Name: Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting
- Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE: CVE-2023-7044
- CVSS Score: 6.4 (Medium)
- Publicly Published: January 3, 2024
- Researcher: Webbernaut
- Description: The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom ID in all versions up to, and including, 5.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor access and higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Advice for Users:
- Immediate Action: Update to version 5.9.3 or later as soon possible.
- Alternate Plugins: Consider alternate page builder plugins like Beaver Builder if concerned.
- Stay Updated: Always keep plugins updated to avoid vulnerable versions.
The response by wpdevteam to address this vulnerability reinforces the need to promptly install security updates. Users should upgrade to version 5.9.3 to mitigate any potential attacks leveraging this issue on their WordPress sites.
Keeping your WordPress website secure should be a priority for any business relying on an online presence, but staying on top of vulnerabilities can feel impossible. Unfortunately, popular page builder plugin Essential Addons for Elementor was recently revealed to have a stored cross-site scripting flaw that puts outdated installations at serious risk. Don’t let your hard work be compromised by outdated software. By taking a few proactive security measures, you can protect your business website despite having minimal time for website administration.
The Vulnerability Explained
Researcher Webbernaut disclosed the vulnerability tracked as CVE-2023-7044 affecting Essential Addons for Elementor versions up to and including 5.9.2 in early January 2024. The plugin is actively installed on over 1 million WordPress sites.
Impacts to Businesses
This vulnerability means an authorized user could leverage their access to compromise business sites relying on older versions of Essential Addons for Elementor. Attackers could steal session cookies, hijack admin accounts, extract sensitive customer or business data, or insert unwanted content.
While the vulnerability was addressed promptly in version 5.9.3, many businesses have not yet updated. Every day without patching exposes WordPress sites to potential compromise through this specific flaw.
Remediating the Vulnerability
- Update Essential Addons for Elementor to version 5.9.3 or newer. This patches the vulnerability at its core by addressing the underlying code flaws.
- Limit contributor accounts only to those that need them. Reduce exposure by ensuring editing access is restricted properly across your website.
Staying on top of vulnerabilities like this can be challenging, but with a layered approach you can secure your website despite limited time. Set calendar reminders to periodically check plugins and themes for updates. Enlist support to receive notifications whenever vulnerabilities in key software are disclosed. Prioritize upgrades that fix security flaws.
While the Internet introduces growing threats, don’t let them stop your business success. Take the steps to shift website security from an afterthought to a priority. Protect your hard work by proactively securing your online presence against compromise through vulnerabilities like this.
Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.
Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.