Recent Patches Rock the Elementor Ecosystem
This post has been updated with additional plugins that have been patched since its original publication. We will continue to add plugins as they are patched.
Over the last few weeks, the Wordfence Threat Intelligence team has responsibly disclosed vulnerabilities in more than 15 of the most popular addon plugins for Elementor, which are collectively installed on over 3.5 million sites. All together, our team found over 100 vulnerable endpoints.
These stored Cross-Site Scripting vulnerabilities were similar in execution to the recently published vulnerabilities in the main Elementor plugin. They allowed any user able to access the Elementor editor, including contributors, to add JavaScript to posts. This JavaScript would be executed if the post was viewed, edited, or previewed by any other site user, and could be used to take over a site if the victim was an administrator.
These vulnerabilities are covered by the same Wordfence firewall rule that we created for the original Elementor vulnerability, which has been available to free Wordfence users since March 25, 2021.
Which plugins were impacted?
We found the same vulnerabilities in nearly every plugin we reviewed that adds additional elements to the Elementor page builder.
We have attempted to notify the developers and publishers of as many vulnerable plugins as possible, and have advised them to review their premium plugins for similar issues.
In most cases the plugin developers we contacted have patched quickly, but a few failed to respond to our initial contact request. In these cases, we contacted the WordPress plugins repository to have the vulnerable plugins reviewed.
Due to the sheer number of plugins that add new elements to Elementor, some may likely still be vulnerable, especially in cases where the plugin code was not freely available for us to review, as is the case with many premium plugins.
Note that we have only listed plugins that have been patched at this time. If your site is running any of these plugins, we strongly recommend updating as soon as possible. If your site is running a plugin that adds functionality to Elementor through new elements or widgets, and it is not listed here, we recommend contacting the plugin author or developer to verify that they have audited their plugin for these issues.
Affected Plugins: Listed below
Plugin Slugs: Listed below
Affected Versions: Listed below
CVE IDs: Listed Below
CVSS Score: 6.4 Medium
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Fully Patched Versions: Listed below
Essential Addons for Elementor (essential-addons-for-elementor-lite), 1M+ Installations
Versions < 4.5.4 are vulnerable, patched in version 4.5.4
CVE-2021-24255
Elementor – Header, Footer & Blocks Template (header-footer-elementor), 1M+ Installations
Versions < 1.5.8 are vulnerable, patched in version 1.5.8
CVE-2021-24256
Ultimate Addons for Elementor (ultimate-elementor), 600k+ Installations
Versions < 1.30.0 are vulnerable, patched in version 1.30.0
CVE-2021-24271
Premium Addons for Elementor (premium-addons-for-elementor), 400k+ Installations
Versions < 4.2.8 are vulnerable, patched in version 4.2.8
CVE-2021-24257
ElementsKit (elementskit-lite) and ElementsKit Pro (elementskit), 300k+ Installations
Versions < 2.2.0 are vulnerable, patched in version 2.2.0
CVE-2021-24258
Elementor Addon Elements (addon-elements-for-elementor-page-builder), 100k+ Installations
Versions < 1.11.2 are vulnerable, patched in version 1.11.2
CVE-2021-24259
Happy Addons for Elementor (happy-elementor-addons), 100k+ Installations
Free versions < 2.24.0 are vulnerable, patched in version 2.24.0. Pro versions < 1.17.0 are vulnerable, patched in version 1.17.0
CVE-2021-24292
Livemesh Addons for Elementor (addons-for-elementor), 100k+ Installations
Versions < 6.8 are vulnerable, patched in version 6.8
CVE-2021-24260
HT Mega – Absolute Addons for Elementor Page Builder (ht-mega-for-elementor), 70k+ Installations
Versions < 1.5.7 are vulnerable, patched in version 1.5.7
CVE-2021-24261
WooLentor – WooCommerce Elementor Addons + Builder (woolentor-addons), 50k+ Installations
Versions < 1.8.6 are vulnerable, patched in version 1.8.6
CVE-2021-24262
PowerPack Addons for Elementor (powerpack-lite-for-elementor), 50k+ Installations
Versions < 2.3.2 are vulnerable, patched in version 2.3.2
CVE-2021-24263
Image Hover Effects – Elementor Addon (image-hover-effects-addon-for-elementor), 40k+ Installations
Versions < 1.3.4 are vulnerable, patched in version 1.3.4
CVE-2021-24264
Rife Elementor Extensions & Templates (rife-elementor-extensions), 30k+ Installations
Versions < 1.1.6 are vulnerable, patched in version 1.1.6
CVE-2021-24265
The Plus Addons for Elementor Page Builder Lite (the-plus-addons-for-elementor-page-builder), 30k+ Installations
Versions < 2.0.6 are vulnerable, patched in version 2.0.6
CVE-2021-24266
All-in-One Addons for Elementor – WidgetKit (widgetkit-for-elementor), 20k+ Installations
Versions < 2.3.10 are vulnerable, patched in version 2.3.10
CVE-2021-24267
JetWidgets For Elementor (jetwidgets-for-elementor), 10k+ Installations
Versions < 1.0.9 are vulnerable, patched in version 1.0.9
CVE-2021-24268
Sina Extension for Elementor (sina-extension-for-elementor), 10k+ Installations
Versions < 3.3.12 are vulnerable, patched in version 3.3.12
CVE-2021-24269
DethemeKit For Elementor (dethemekit-for-elementor), 8k+ Installations
Versions < 1.5.5.5 are vulnerable, patched in version 1.5.5.5
CVE-2021-24270
Clever Addons for Elementor (cafe-lite), 8k+ Installations
Versions < 2.1.0 are vulnerable, patched in version 2.1.0
CVE-2021-24273
As with the vulnerabilities in the main Elementor plugin, each of these plugins added elements that allowed users to select an HTML tag from a drop-down menu in order to add formatting to a title or other text. Unfortunately, the tag options were not enforced on the server side and would be echoed out when displaying the element.
An attacker could, for instance, intercept a request where they added a title element, and change an “H5” heading tag to a “script” tag. In many cases it was possible to add JavaScript directly via one of these tags, while other plugins enforced various levels of sanitization. Even for plugins that performed sanitization on output, it was still often possible to set the HTML tag use to a remotely sourced script, or to simply set the tag to “script” and place the JavaScript to be executed in the actual title or a similar parameter.
Who should be worried about this?
Sites that have multiple users that contribute content and are running an unpatched version of one of the plugins listed above should be considered at risk. Vulnerabilities of this type are unlikely to be exploited at scale, but are extremely valuable to attackers targeting individual sites. This applies especially to high-profile media sites or other sites likely to be specifically targeted by attackers. If you are the sole user on your site, then this will not affect you.
While all of the vulnerabilities in question require an attacker to gain access to an account with at least “contributor” permissions to exploit, the contributor role is not considered a trusted role. Any content written by contributors must be reviewed by an Editor or an Administrator before it can be published. It may be easier for an attacker to obtain access to an account with contributor privileges than to gain administrative credentials, and a vulnerability of this type can be used to perform privilege escalation by executing JavaScript in a reviewing administrator’s browser session.
If you are a plugin developer or publisher offering plugins to extend the functionality of Elementor via additional widgets, and we have not already contacted you, we strongly recommend reviewing your code base for similar vulnerabilities using the patches in these plugins and the main Elementor plugin as a template.
A Special Thank You
All software is vulnerable at some point in its lifecycle, and most software is vulnerable to some extent at every point in its lifecycle. It’s unrealistic to expect any company or developer to write software that is completely free from vulnerabilities without significant testing and review. What matters most is their response once vulnerabilities are discovered and disclosed.
As such, we’d like to thank the following plugin developers and publishers for their exemplary responses to our disclosure:
POSIMYTH, publishers of The Plus Addons for Elementor Page Builder Lite, for helping us identify additional vulnerable plugins and actively seeking to improve the security of their product.
Brainstorm Force, publishers of Elementor – Header, Footer & Blocks Template and Ultimate Addons for Elementor, for their fast response and transparency in informing their users of the security issues in their plugins.
HasThemes, publishers of HT Mega – Absolute Addons for Elementor Page Builder and WooLentor – WooCommerce Elementor Addons + Builder, for their extremely fast response in patching their plugins.
WPDeveloper, publishers of Essential Addons for Elementor, for their fast response in patching the vulnerabilities in their plugin.
Crocoblock, publishers of JetWidgets For Elementor and many other Elementor addon plugins, for their fast response and willingness to review their premium addons for similar issues.
WebTechStreet, publishers of Elementor Addon Elements, for their fast response in patching the vulnerabilities in their plugin.
Livemesh, publishers of Livemesh Addons for Elementor, for their responsiveness.
WPMet, publishers of the ElementsKit and ElementsKit Pro plugins, for their responsiveness.
ThemesGrove, publishers of All-in-One Addons for Elementor – WidgetKit, for their responsiveness.
Apollo13Themes, publishers of Rife Elementor Extensions & Templates, for their responsiveness.
deTheme, publishers of DethemeKit For Elementor, for their responsiveness.
This article was the result of weeks worth of research and disclosure, and was, to some extent, a race against time before it became obvious to outside observers how many plugins in the Elementor ecosystem were vulnerable. Although making initial contact was occasionally difficult, we were pleasantly surprised by how many of the publishers we contacted began work immediately after our disclosure. We believe this bodes well for the Elementor ecosystem.
Conclusion
In this article, we covered a widespread set of Cross-Site Scripting(XSS) vulnerabilities present in many of the most popular Elementor addon plugins. Although most small site owners will not be directly affected, the vulnerabilities in question can be used for site takeover, and larger sites with multiple untrusted users are particularly at risk.
All Wordfence users, including sites using the free version of Wordfence, have been protected from these vulnerabilities since March 25, 2021.
If you are running a vulnerable version of any of these plugins on your site, be sure to update to the latest version available. If you are running any addon plugins for Elementor, be sure to apply any available updates as soon as possible.
If you know of a friend or colleague who manages a site that uses Elementor, be sure to forward this article to them as well. Security is a community effort, and staying informed is the most effective tool for keeping your website safe.
This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.
Comments
3:11 pm
You guys rock! Thank you for helping us stay safe.
4:00 pm
Thank you so much for the amazing work done. With Wordfence on my site, I am so relaxed confident that my site's security is 100% guaranteed.
4:16 pm
I am always in awe of the Professional work of Ram, Chloe and their threat analysts and Scott Millers excellent Wordfence Live Gig. Where would we be without Wordfence??
I will be upgrading to Premium in the near future. The #1 Wordpress plugin by far.
12:50 am
Guys, never underestimate the smallest security pinhole. This is the way to go...!
Thank You, Wordfence Team.
1:25 am
Was the problem specifically related to the Elementor family or could it be attributed to the way in which the developers coded their addons?
I ask because some of them provide other addons. For instance, Livemesh also publishes the Livemesh SiteOrigin Widgets plugin. Is it possible that similar coding could be used for this plugin, making it vulnerable?
6:51 am
Hi Lawrence,
Elementor has a surprisingly extensive set of developer documentation which includes code examples, many of which demonstrate the insecure behavior we've found. We believe that the developers of the vulnerable plugins used this documentation as a reference and this resulted in the vulnerable code patterns we found being used in their plugins as well. While documentation and code examples are extremely helpful, this does illustrate the danger of insecure coding practices spreading from insecure examples, something we've seen on other platforms as well. As such, we wouldn't necessarily expect to see the same patterns show up in other plugins by the same publishers unless they also are intended to add Widgets to Elementor, though it's always possible.