Researchers have issued advisories for eleven separate Elementor add-on plugins with 15 vulnerabilities that can make it possible for hackers to upload malicious files. One of them is rated as a high threat vulnerability because it can allow hackers to bypass access controls, execute scripts and obtain sensitive data.
Two Different Kinds Of Vulnerabilities
The majority of the vulnerabilities are Stored Cross Site Scripting (XSS). Three of them are Local File Inclusion.
XSS vulnerabilities are among the most common form of vulnerability found in WordPress plugins and themes. They generally arise from flaws in how input data is secured (input sanitization) and also how output data is locked down (output escaping).
A Local File Inclusion vulnerability is one that exploits an unsecured user input area that allows an attacker to “include” a file into the input. Include is a coding term. In plain English a file inclusion is a scripting thing (a statement) that tells the website to add a specific code from file, like a PHP file. I have used includes in PHP to bring in data from one file (like the title of a webpage) and stick it into the meta description, that’s an example of an include.
This kind of vulnerability can be a serious threat because it allows an attacker to “include” a wide range of code which in turn can lead to the ability to bypass any restrictions on actions that can be carried out on the website and/or allow access to sensitive data that is normally restricted.
The Open Web Application Security Project (OWASP) defines a Local File Inclusion vulnerability:
“The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.
This can lead to something as outputting the contents of the file, but depending on the severity, it can also lead to:
Code execution on the web server
Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS)
Denial of Service (DoS)
Sensitive Information Disclosure”
List Of Vulnerable Elementor Add-On Plugins
There are eleven total Elementor add-on plugins that have vulnerability advisories, two of which were issued today (March 29th), two of which were issued on March 28th. The remaining seven were issued within the past few days.
Some of the plugins have more than one vulnerability so that there are a total of 15 vulnerabilities in eleven of the plugins.
Out of the eleven plugins one is rated as a High Severity vulnerability and the rest are Medium Severity.
Here is the list of plugins listed in descending order of the most recent to the earliest. The numbers next to the vulnerabilities denote if they have more than one vulnerability.
List of Vulnerable Elementor Add-Ons
- ElementsKit Elementor addons (x2)
- Unlimited Elements For Elementor
- 140+ Widgets | Best Addons For Elementor
- Better Elementor Addons
- Elementor Addon Elements (x2)
- Master Addons for Elementor
- The Plus Addons for Elementor (x2)
- Essential Addons for Elementor (x2)
- Element Pack Elementor Addons
- Prime Slider – Addons For Elementor
- Move Addons for Elementor
High Severity Vulnerability
The High Severity vulnerability is found in the ElementsKit Elementor Addons plugin for WordPress is especially concerning because it can put over a million websites in danger. This vulnerability is rated 8.8 on a scale of 1- 10.
What accounts for its popularity is the all-in-one nature of the plugin that allows users to easily modify virtually any on-page design feature in the headers, footers, and menus. It also includes a vast template library and 85 widgets that add extra functionality to webpages created with the Elementor website building platform.
The Wordfence security researchers described the vulnerability threat:
“The ElementsKit Elementor addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.0.6 via the render_raw function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.”
Millions of WordPress Sites Affected
The vulnerabilities may affect over 3 million websites. Just two of the plugins have a total of three million active installations. Websites tend to use just one of these plugins because there is a certain amount of overlap between the features. The all-in-one nature of some of these plugins means that only one plugin is needed in order to access important widgets for adding sliders, menus and other on-page elements.
List of Vulnerable Plugins By Number Of Installations
- Essential Addons for Elementor – 2 Million
- ElementsKit Elementor addons – 1 Million
- Unlimited Elements For Elementor – 200k
- Elementor Addon Elements – 100k
- The Plus Addons for Elementor – 100k
- Element Pack Elementor Addons – 100k
- Prime Slider – Addons For Elementor – 100k
- Master Addons for Elementor – 40k
- 140+ Widgets | Best Addons For Elementor – 10k
- Move Addons for Elementor – 3k
- Better Elementor Addons – Unknown – Closed By WordPress
Recommended Action
Although many of the medium level severity vulnerabilities require hackers to obtain contributor level authentication in order to launch an attack, it’s best not to underestimate the risk posed by other plugins or installed themes that might grant the attacker the ability to launch these specific attacks.
It’s generally prudent to test updated themes before pushing updates to a live site.
Read the official Wordfence advisories (with CVE numbers):
A. 03/29 ElementsKit Elementor addons <= 3.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-1238
B. 03/29 ElementsKit Elementor addons <= 3.0.6 – Authenticated (Contributor+) Local File Inclusion in render_raw CVE-2024-2047 8.8 HIGH THREAT
03/29 Unlimited Elements For Elementor <= 1.5.96 – Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Link CVE-2024-0367
3/28 140+ Widgets | Best Addons For Elementor – FREE <= 1.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-2250
3/28 Better Elementor Addons <= 1.4.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via widget links CVE-2024-2280
A. Elementor Addon Elements <= 1.13.1 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-2091
B. Elementor Addon Elements <= 1.13.2 – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via ‘Text Separator’ and ‘Image Compare’ Widget CVE-2024-2792
Master Addons for Elementor <= 2.0.5.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Table Widget CVE-2024-2139
A. The Plus Addons for Elementor <= 5.4.1 – Authenticated (Contributor+) Local File Inclusion via Team Member Listing CVE-2024-2210
B. The Plus Addons for Elementor <= 5.4.1 – Authenticated (Contributor+) Local File Inclusion via Clients Widget CVE-2024-2203
A. Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.11 – Authenticated (Contributor+) Stored Cross-Site Scripting ( via the countdown widget’s message parameter) CVE-2024-2623
B. Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.11 – Authenticated (Contributor+) Stored Cross-Site Scripting (via the alignment parameter in the Woo Product Carousel widget) CVE-2024-2650
Element Pack Elementor Addons <= 5.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via link CVE-2024-30185
Prime Slider – Addons For Elementor <= 3.13.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via title CVE-2024-30186
Move Addons for Elementor <= 1.2.9 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-2131
Featured Image by Shutterstock/Andrey Myagkov
