Elementor Page Builder Reflected & Stored XSS

Elementor is a WordPress page builder that delivers high-end page designs and advanced capabilities. With over 4 million active installations, it’s one of the most popular plugins on the WordPress plugin library.

Over the past two days (on 28th and 29th of January), two different XSS (cross-site scripting) vulnerabilities were disclosed in Elementor Page Builder. Let’s take a look at both and see how they differ, how should you remediate and protect your website from both vulnerabilities.

Vulnerability #1: Reflected XSS in Elementor Page Builder
Vulnerable version #1: fixed in version 2.8.5
Vulnerability #2: Stored XSS in Elementor Page Builder
Vulnerable version #2: fixed in version 2.8.5
Number of sites affected: 4,000,000+

Authenticated Reflected XSS Vulnerability in Elementor Page Builder

On the 28th of January, an independent security researcher published an article with a proof of concept of how he found an authenticated reflected-XSS in the Elementor Page Builder plugin. Keep in mind that to take advantage of this vulnerability, the potential attacker would need to be authenticated to the website.

Using this vulnerability for malicious purposes is especially hard as reflected XSS is non-persistent, meaning that to be able to target the victim, the attacker would need to have an authenticated website administrator click on the specially crafted URL where theoretically a malicious Javascript code could steal the session cookie of an authenticated administrator user.

The possibility of such an attack is demonstrated by the researcher here, where a carefully crafted URL can extract the session cookie.

/wp-admin/admin.php?page=elementor-system-info&lndan%22%3e%3cscript%0csrc%3d//0x7f000001%3e%3c/script%3e=1

Even if a reflected XSS is giving less power to the potential attacker than persistent or stored XSS, reflected one is much easier to find.

Protect Websites Against Plugin Vulnerabilities

Start for free

Authenticated Stored XSS Vulnerability in Elementor Page Builder

Just a day later, another XSS vulnerability was disclosed in an earlier version of Elementor Page Builder. This time, the XSS vulnerability is persistent, but similarly to the previous one, authentication is required to take any advantage of this vulnerability.

In this case, the vulnerability allows a malicious script to be injected on the Elementor Page Builder plugin’s System Info page. If an administrator visits the System Info page, the malicious script will be executed.

This vulnerability could potentially allow less privileged users (if your website has registration open) to register an admin account, redirect the admin to a malicious site or even escalate this to store a backdoor on the site.

If you have registrations open on your Elementor site and you’re afraid that you might have fallen under attack, you can scan your access logs and see if there are requests containing action=elementor_js_log with an unknown IP.

How to remediate?

It’s recommended to update the Elementor plugin as soon as possible as both of the vulnerabilities have been fixed in the latest version. If you’re afraid that you have fallen under attack, please follow the WordPress malware removal guide here.

If you don’t feel comfortable with the technical bits of the remediation process and want to make sure your website is 100% clean, reach out to our team by writing us to the chat at the bottom right corner in this article.

WebARX customers have been protected from both of these vulnerabilities thanks to the WebARX firewall core ruleset preventing XSS attacks. We will closely monitor both of the vulnerabilities and will update the article with additional information as soon as attacks or IOCs are detected.

Protect Websites Against Plugin Vulnerabilities

Start for free