Security researchers have issued an advisory on six unique XSS vulnerabilities discovered in the Elementor Website Builder and its Pro version that may allow attackers to inject malicious scripts.
Elementor Website Builder
Elementor is one of the leading website builder platforms available with over 5 million active installations worldwide, with the official WordPress depository claiming it powers over 16 million websites worldwide. The drag and drop interface allows anyone to quickly create professional websites while the Pro version extends the platform with additional widgets and advanced ecommerce capabilities.
That popularity has also made Elementor a popular target for hackers which makes these six vulnerabilities of particular concern.
Six XSS Vulnerabilities
Elementor Website Builder and the Pro version contain six different Cross-Site Scripting (XSS) vulnerabilities. Five of the vulnerabilities are due to insufficient input sanitization and output escaping while one of them is due to insufficient input sanitization.
Input sanitization is a standard coding practice used to secure areas of a plugin that allow users to input data into a form field or upload media. The process of sanitization blocks any input that does not conform with what is expected. A properly secured input for text data should block scripts or HTML, which is what input sanitization does.
Output escaping is the process of securing what the plugin outputs to the browser to keep it from exposing a site visitor’s browser to untrusted scripts.
The official WordPress Developer Handbook advises for input sanitization:
“Sanitizing input is the process of securing/cleaning/filtering input data.”
It’s important to note that all six vulnerabilities are distinct and completely unrelated to each other and arise specifically from insufficient security from the Elementor side. It’s possible that one of them, CVE-2024-2120, affects both the free and pro versions. I contacted Wordfence for clarification on that and will update this article accordingly after I hear back.
List of Six Elementor Vulnerabilities
The following is a list of the six vulnerabilities and the versions they affect. All six vulnerabilities are rated as medium level security threats. The first two on the list affect Elementor Website Builder and the next four affect the Pro version. The CVE number is a reference to the official entry in the Common Vulnerabilities and Exposures database that serves as a reference for known vulnerabilities.
- Elementor Website Builder (CVE-2024-2117)
Affects up to and including 3.20.2 – Authenticated DOM-Based Stored Cross-Site Scripting via Path Widget - Elementor Website Builder Pro (and maybe free) (CVE-2024-2120)
Affects up to and including 3.20.1 – Authenticated Stored Cross-Site Scripting via Post Navigation - Elementor Website Builder Pro (CVE-2024-1521)
Affects up to and including 3.20.1 – Authenticated Stored Cross-Site Scripting via Form Widget SVGZ File Upload
This vulenrability only affects servers running NGINX-based servers. Servers running Apache HTTP Server are unaffected. - Elementor Website Builder Pro (CVE-2024-2121)
Affects up to and including 3.20.1 – Authenticated Stored Cross-Site Scripting via Media Carousel widget - Elementor Website Builder Pro (CVE-2024-1364)
Affects up to and including 3.20.1 – Authententicated Stored Cross-Site Scripting via widget’s custom_id - Elementor Website Builder Pro (CVE-2024-2781)
Affects up to and including 3.20.1 – Authenticated DOM-Based Stored Cross-Site Scripting via video_html_tag
All six vulnerabilities are rated as medium level security threats and require contributor-level permission level to execute.
Elementor Website Builder Changelog
According to Wordfence there are two vulnerabilities affecting the free version of Elementor. But the changelog shows there is only one fix.
The issues affecting the free version are in Path Widget and in Post Navigation Widget.
But the changelog for the free version only lists a patch for the Text Path Widget and not the Post Navigation one:
“Security Fix: Improved code security enforcement in Text Path Widget”
The Post Navigation Widget is a navigation feature that allows site visitors to navigate to the previous or next post in a series of posts.
So although it’s missing in the changelog, it is included in the Elementor Pro changelog which shows that it’s fixed in that version:
- “Security Fix: Improved code security enforcement in Media Carousel widget
- Security Fix: Improved code security enforcement in Form widget
- Security Fix: Improved code security enforcement in Post Navigation widget
- Security Fix: Improved code security enforcement in Gallery widget
- Security Fix: Improved code security enforcement in Video Playlist widget”
The missing entry in the free changelog may be an misprint by Wordfence because the official Wordfence advisory for CVE-2024-2120 shows an entry for “software slug” as elementor-pro.
Recommended Course Of Action
Users of both versions of the Elementor Website Builder are encouraged to update their plugin to the latest version. Although executing the vulnerability requires an attacker to acquire a contributor level permission credentials it’s still in the realm of possibilities especially if contributors don’t have strong passwords.