Flaws in WordPress plugins affect over 7M websites


Vulnerabilities in multiple WordPress plugins was discovered by security researchers which when successfully exploited, could allow an attacker to run arbitrary code and take over a website.

The flaws were found in Elementor, a website builder plugin which is used in more than seven million sites, and WP Super Cache, a tool used to serve cached pages of a WordPress site.

The security flaws in Elementor were discovered by researchers at Wordfence who stated that the bug concerns a set of stored cross-site scripting (XSS) vulnerabilities (CVSS score: 6.4), which occurs when a malicious script is injected directly into a vulnerable web application.

So, due to a lack of validation of the HTML tags on the server-side, an attacker can exploit the issues to add executable JavaScript to a post or page via a crafted request.

Wordfence stated that since posts created by contributors are usually reviewed by editors or administrators before publishing, any JavaScript added to one of these posts would be executed in the reviewer’s browser. If an administrator reviewed a post containing malicious JavaScript, their authenticated session with high-level privileges could be used to create a new malicious administrator, or to add a backdoor to the site. An attack on this vulnerability could lead to site takeover.

Multiple HTML elements such as Heading, Column, Accordion, Icon Box, and Image Box were found vulnerable to the stored XSS attack. So, any user can access the Elementor editor and add an executable JavaScript.

As the flaws take advantage of the fact that dynamic data entered in a template could be leveraged to include malicious scripts intended to launch XSS attacks, such behavior can be prevented by validating the input and escaping the output data so that the HTML tags passed as inputs are rendered harmless.

Another flaw that was discovered in WP Super Cache, which is used by more than two million WordPress sites was an authenticated remote code execution (RCE) vulnerability that could permit an opponent to upload and execute malicious code with the intend of gaining control of the site.

Elementor fixed the issues in version 3.1.4 released on March 8 by hardening “allowed options in the editor to enforce better security policies.” Similarly, Automattic, the developer behind WP Super Cache, addressed the “authenticated RCE in the settings page” in version 1.7.2.

All the users are highly recommended to update to the latest versions to reduce the risk associated with the flaws.


Please enter your comment!
Please enter your name here