Cross-Site Scripting Vulnerabilities in Elementor Impact Over 7 Million Sites
As Elementor has a contact method specifically for security reports, we were able to provide the full disclosure immediately. Elementor acknowledged the vulnerability the next day, on February 24, 2021. An initial patch was made available in version 3.1.2 on March 2, 2021. However, we recommend updating to at least Elementor version 3.1.4, the latest available at the time of this writing, as it contains additional fixes for the issue.
Wordfence Premium users received a firewall rule protecting against these vulnerabilities on February 23, 2021. Sites still running the free version of Wordfence will receive the same protection after 30 days, on March 25, 2021.
Affected Plugin: Elementor
Plugin Slug: elementor
Affected Versions: < 3.1.2
CVE IDs: Pending
CVSS Score: 6.4 Medium
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Fully Patched Version: 3.1.4
Elementor is a wildly popular editor plugin that allows content creators, including contributors, the ability to visually design websites using “elements” that can be added to any location on the page being built.
Many of these elements offer the option to set an HTML tag for the content within. For example, the “Heading” element can be set to use H1, H2, H3, etc. tags in order to apply different heading sizes via the
For instance, the “Column” element, one of the most basic Elementor components, accepts an
html_tag parameter. This parameter was output without escaping, and could be set to an inline script, a script with a remote source, or could even be attacked using attribute-based XSS.
The Accordion, Icon Box, and Image Box elements were all vulnerable to this type of attack as well, though the vulnerable parameter names varied depending on the component.
Escaping output isn’t always enough
Escaping the output of the chosen HTML tag might have been sufficient to prevent some of these components from being exploitable, and indeed, the “Section” element and the “Toggle” element suffered from similar flaws but could not be exploited because they escaped their chosen HTML tags, and because any additional content was wrapped inside several other levels of tags.
Unfortunately, however, escaping output is not always sufficient to prevent exploits from occurring. For instance, for the “Heading” element, escaping the output of the
header_size parameter would not have been sufficient to prevent Cross-Site Scripting because the heading text was nested immediately inside the
header_size tags. As such it was possible to set the
header_size parameter to
html_tag parameter because the inner text was nested immediately inside the chosen
This is an excellent example of why it is important to validate input in addition to escaping output. Enforcing a list of allowed HTML tags on the server side rather than only on the client side would prevent exploitation of this type of vulnerability. Indeed, this is the approach the patched version uses to correct the issue.
February 23, 2021 – Wordfence Threat Intelligence releases a firewall rule to Premium users and provides full disclosure to the Elementor security contact.
February 24, 2021 – Elementor acknowledges the disclosure and begins to work on a fix.
March 2, 2021 – An initial patch becomes available in version 3.1.2.
March 8, 2021 – Additional fixes are put in place in version 3.1.4.
March 25, 2021 – The firewall rule becomes available to free users.
In today’s article, we detailed stored Cross-Site Scripting(XSS) vulnerabilities present in Elementor, which could be exploited via the Column element as well as the Accordion, Icon Box, Image Box, Heading, and Divider components. These vulnerabilities have been patched in version 3.1.4, and we strongly recommend that all users of Elementor update to the latest version available, which is 3.1.4 at the time of publication.
Wordfence Premium users have been protected against these vulnerabilities since February 23, 2021. Sites still running the free version of Wordfence will receive the same protection 30 days later, on March 25, 2021.
If you know a friend or colleague who is using Elementor, we recommend forwarding this advisory to them, as these vulnerabilities can be used for site takeover. While these vulnerabilities require contributor-level permissions to exploit, the immense popularity of Elementor means that there are likely to be many vulnerable configurations in the wild. As such, we recommend treating these vulnerabilities with greater than normal urgency.