Decoding The Essential Addons For Elementor Vulnerability

The vulnerability arises from flaws in two key widgets of the Essential Addons plugin: Countdown and Woo Product Carousel.

by Ashish Khaitan March 28, 2024 in Firewall Daily, Vulnerabilities Reading Time: 4 mins read 0

615 SHARES 3.4k VIEWS Share on LinkedInShare on Twitter

A new has been revealed, affecting over 2 million websites utilizing the popular WordPress plugin. Security researchers have flagged (XSS) vulnerabilities within this plugin, which could potentially pave the way for attackers to inject malicious scripts into WordPress websites.

The vulnerability stems from flaws identified in two integral widgets incorporated within the Essential Addons plugin, namely the Countdown Widget and the Woo Product Carousel Widget. 

These have raised concerns among website owners and developers alike due to their widespread impact. The vulnerability was reported by security researcher Ngô Thiên An (ancorn_) and Wordfence gave it a rating of 6.4 on the vulnerability scale, affecting versions from 5.9.11 and below. 

Decoding the Essential Addons for Elementor Vulnerability

Essential Addons For Elementor serves as an extension to the Elementor WordPress page builder, empowering users to enhance their websites with a ton of features and widgets. However, the recent report of within this plugin puts millions of users at risk since the plugin has an active installation of 2+ million. 

Source: Wordfence

According to a security advisory published by Wordfence, the vulnerability specifically targets the “Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders” plugin, up to version 5.9.11. The vulnerability, categorized as “Authenticated (Contributor+) Stored Cross-Site Scripting,” highlights lapses in input sanitization and output escaping mechanisms within the affected widgets.

This vulnerability, assigned a severity score of 6.4 on the Wordfence vulnerability scale, highlights the potential risks associated with improper input validation. Furthermore, the advisory outlines the possibility for authenticated attackers, with contributor-level access or higher, to exploit the vulnerability by injecting arbitrary web scripts into affected pages.

Essential Addons for Elementor Responds to the Vulnerability 

Source: Wordfence

The developers behind Essential Addons for Elementor have addressed the recent vulnerability by releasing a comprehensive security patch. This patch not only tackles the Stored Cross-Site Scripting (XSS) vulnerabilities but also addresses various other flaws within the WordPress plugin.

In their latest patch version 5.9.13, several critical issues have been resolved, including fixes for the EA Table of Contents, ensuring it no longer throws PHP Fatal errors when the Display on option is set to Custom Post Types. Additionally, minor bug fixes and improvements have been implemented to enhance the overall stability and performance of the plugin.

Previous versions, such as 5.9.12 and 5.9.11, also saw fixes to key functionalities. For instance, issues with the EA Pricing Table, EA Advanced Accordion, EA Advanced Tabs, and EA Login Register Form have been addressed, ensuring seamless operation across various features.

Furthermore, compatibility with popular themes and plugins like Fluent Form and Gravity Forms has been improved, minimizing conflicts and enhancing user experience. Alongside security updates, improvements in accessibility support have been made, ensuring that the plugin remains inclusive and user-friendly for all website visitors.

The Stored Cross-Site Scripting (XSS) Pandemic

Stored Cross-Site Scripting (XSS) vulnerabilities pose a threat to website security, enabling attackers to execute malicious scripts within the browsers of unsuspecting visitors. Such attacks could potentially lead to the theft of session cookies, thereby granting unauthorized access to sensitive website functionalities.

XSS vulnerabilities are prevalent in web applications and often result from inadequate input sanitization and output escaping mechanisms. These vulnerabilities have taken a toll on WordPress users recently with many plugins having inadequate security settings, allowing threat actors to exploit the vulnerability and initiate remote code execution. 

According to Wordfence, the Essential Addons for Elementor vulnerability “makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

Source: Wordfence

Previously, Wordfence reported the same vulnerability within the Rank Math plugin. Researcher Ngô Thiên An (ancorn_) uncovered the vulnerability within the Rank Math plugin, which impacts versions up to and including 1.0.214. The vulnerability is associated with the plugin's management of attributes within the HowTo block.

This lapse in input sanitization and output escaping means that authenticated attackers with contributor-level access or higher can inject arbitrary web scripts. These scripts have the potential to execute whenever a user interacts with the compromised page, posing a risk to user sessions and sensitive data.


Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button