Wordfence issued an advisory on a vulnerability patched in the popular Happy Addons for Elementor plugin, installed on over 400,000 websites. The security flaw could allow attackers to upload malicious scripts that execute when browsers visit affected pages.

Happy Addons for Elementor

The Happy Addons for Elementor plugin extends the Elementor page builder with dozens of free widgets and features like image grids, a user feedback and reviews function, and custom navigation menus. A paid version of the plugin offers even more design functionalities that make it easy to create functional and attractive WordPress websites.

Stored Cross-Site Scripting (Stored XSS)

Stored XSS is a vulnerability typically occur when a theme or plugin doesn’t properly filter user inputs (called sanitization), allowing malicious scripts to be uploaded to the database and stored on the server itself. When a user visits the website the script downloads to the browser and executes actions like stealing browser cookies or redirecting the user to a malicious website.

The stored XSS vulnerability affecting the Happy Addons for Elementor plugin requires a hacker acquiring Contributor-level permissions (authentication), making it harder to take advantage of the vulnerability.

WordPress security company Wordfence rated the vulnerability 6.4 on a scale of 1 – 10, a medium threat level.

According Wordfence:

“The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the before_label parameter in the Image Comparison widget in all versions up to, and including, 3.12.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

Plugin users should consider updating to the latest version, currently 3.12.6, which contains a security patch for the vulnerability.

Read the Wordfence advisory:

Happy Addons for Elementor <= 3.12.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Image Comparison

