Post title on background showing stacked blocks with hand pulling out red block

Over 1 Million Sites Impacted by Vulnerability in Starter Templates Plugin

On October 4, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for the Starter Templates plugin, which is installed on over 1 Million WordPress websites. The full name of the WordPress plugin is “Starter Templates — Elementor, Gutenberg & Beaver Builder Templates”, but we are referring to it in this post as the “Starter Templates Plugin” to avoid confusion.

Versions 2.7.0 and older of this plugin contain a vulnerability that allows Contributor-level users to completely overwrite any page on the site with malicious JavaScript.

The plugin’s developer responded to us, and we provided full disclosure of the vulnerability details the next day, on October 5, 2021. A patched version of the Starter Templates plugin, version 2.7.1, was released on October 7, 2021.

We released a firewall rule to protect Wordfence Premium customers on October 4, 2021. Sites running the free version of Wordfence received the same protection 30 days later, on November 3, 2021.


Description: Authenticated Block Import to Stored XSS
Affected Plugin: Starter Templates — Elementor, Gutenberg & Beaver Builder Templates
Plugin Slug: astra-sites
Affected Versions: <= 2.7.0
CVE ID: CVE-2021-42360
CVSS Score: 7.6(High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Researcher/s: Ramuel Gall
Fully Patched Version: 2.7.1

The Starter Templates plugin allows site owners to import prebuilt templates and blocks for various page builders, including Elementor.

On sites that also had Elementor installed, it was possible for users with the edit_posts capability, which includes Contributor-level users, to import blocks onto any page using the astra-page-elementor-batch-process AJAX action.

While the elementor_batch_process function associated with this action did perform a nonce check, the required _ajax_nonce was also available to Contributor-level users in the page source of the WordPress dashboard.

		public function elementor_batch_process() {

			// Verify Nonce.
			check_ajax_referer( 'astra-sites', '_ajax_nonce' );

			if ( ! current_user_can( 'edit_posts' ) ) {
				wp_send_json_error( __( 'You are not allowed to perform this action', 'astra-sites' ) );
			}

			if ( ! isset( $_POST['url'] ) ) {
				wp_send_json_error( __( 'Invalid API URL', 'astra-sites' ) );
			}

			$response = wp_remote_get( $_POST['url'] );

			if ( is_wp_error( $response ) ) {
				wp_send_json_error( wp_remote_retrieve_body( $response ) );
			}

			$body = wp_remote_retrieve_body( $response );
			$data = json_decode( $body, true );
			if ( ! isset( $data['post-meta']['_elementor_data'] ) ) {
				wp_send_json_error( __( 'Invalid Post Meta', 'astra-sites' ) );
			}

			$meta    = json_decode( $data['post-meta']['_elementor_data'], true );
			$post_id = $_POST['id'];

			if ( empty( $post_id ) || empty( $meta ) ) {
				wp_send_json_error( __( 'Invalid Post ID or Elementor Meta', 'astra-sites' ) );
			}

			if ( isset( $data['astra-page-options-data'] ) && isset( $data['astra-page-options-data']['elementor_load_fa4_shim'] ) ) {
				update_option( 'elementor_load_fa4_shim', $data['astra-page-options-data']['elementor_load_fa4_shim'] );
			}

			$import      = new \Elementor\TemplateLibrary\Astra_Sites_Elementor_Pages();
			$import_data = $import->import( $post_id, $meta );

			wp_send_json_success( $import_data );
		}

An attacker could craft and host a block containing malicious JavaScript on a server they controlled, and then use it to overwrite any post or page by sending an AJAX request with the action set to astra-page-elementor-batch-process and the url parameter pointed to their remotely-hosted malicious block, as well as an id parameter containing the post or page to overwrite.

Any post or page that had been built with Elementor, including published pages, could be overwritten by the imported block, and the malicious JavaScript in the imported block would then be executed in the browser of any visitors to that page.

This could be used to redirect site visitors to malicious websites, or hijack an administrator’s session in order to create a new malicious administrator or add a backdoor to the site, leading to site takeover.

Timeline

October 4, 2021 – Wordfence Threat Intelligence finishes our investigation and releases a firewall rule to protect Wordfence Premium customers. We initiate the disclosure process.
October 5, 2021 – The plugin developer responds and we send over full disclosure.
October 7, 2021 – A patched version, 2.7.1, is released.
November 3, 2021 – The firewall rule becomes available to Wordfence free users

Conclusion

In today’s post we covered a vulnerability in the “Starter Templates — Elementor, Gutenberg & Beaver Builder Templates” plugin that allows lower-privileged users, such as Contributors, to overwrite existing posts and pages with arbitrary blocks containing malicious JavaScript.

Wordfence Premium users have been protected against this vulnerability since October 4, 2021, while sites still running the free version of Wordfence received the same protection 30 days later, on November 3, 2021.

We strongly recommend updating to the latest version of the plugin available immediately, which is 2.7.5 as of this writing, since it contains additional bug fixes.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a serious vulnerability that can lead to complete site takeover.

If your site has been compromised by an attack on this or any other plugin, our Professional Site Cleaning services can help you get back in business.
This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.

Did you enjoy this post? Share it!

Comments

7 Comments
  • Which free version of Wordfence provides protection for this vulnerability?

    • Hi Brenda,

      The rule has been available to free Wordfence users since November 3 of this year, and you will receive the rule even if you're a few versions behind on Wordfence free (though we always recommend keeping your plugins up to date).

  • Thanks for this security incident notification. Do we have to do any update on Elementor?

    • Hi Diego,

      You shouldn't need to update Elementor for this - the vulnerability isn't in Elementor, but it does require Elementor to be active in order to work.

      • Thanks for clarifying this, Ram!

  • If we had this plugin in October, but no longer have it (uninstalled before I even heard about this issue) is our site safe? Ive had the free version of Wordfence for a couple weeks now.

    • Hi Sydney,

      If you had the plugin installed before October 7, 2021, then you would have had a vulnerable installation. However, this vulnerability also needed a user with sufficient permissions to exploit it - if you don't have any contributor or author users on your site (or other "Partially trusted" users with similar permissions), then you wouldn't have been impacted.